The Importance of Pentesting

Protect your company against Hackers, not Lamers

solution The Importance of Pentesting

Without a doubt, the recent events in relation to the infringement of privacy, such as the theft of personal information from celebrities, the Sony, Target and Equifax hacks, and the big ransomware that affected Telefonica, make us reflect about how organizations protect their information.

All of this in addition to an economy that is overturned by the digital era, where technological platforms are increasingly more immersed in the business core and where all changes or the time to market has to be faster and faster every time, increases the risks that a company is exposed to, even more so when the company looks to protect itself only to meet required standards and not actually being conscious of what is going on or what they are protecting themselves against.

In the rush to feel secure at a very low cost, many companies incur in great risks when executing "security testing" so that they can show that they are "secure", that they can meet the business needs and that it is appropriate for them to make a release to a productive environment and expose their information.

It is here where the so called “Lamers” come into play, they are simply people or organizations that not only claim to have a certain technical skill set that they do not actually posses but also are not willing to learn. Technological societies come to call them out and render them as incompetent. In layman’s terms, a Lamer is someone who has a below average knowledge, some tools at their disposal and obviously, knows how to google.

But, what does a Lamer have to do with the sense of security your company has?

Amongst the processes and controls implemented by companies to protect themselves are Security Tests. Organizations consider they are meeting the required standards for Security Tests when they implement a specific software (Appliance) to execute a vulnerability analysis with the sole purpose of meeting what the security area inside the company is requiring from the production or development team in order to approve a release. However, if the difference between a vulnerability analysis and an Ethical Hacking (Pentesting) is not clear, it can create a great uncertainty and a false sense of security, therefore putting the organization at risk.

A vulnerability analysis is a test performed by an automated tool to verify if the ToE (Target of Evaluation) has known vulnerabilities that are reported in a central database such as the CVE (Common Vulnerabilities and Exposures). This implies that a Vulnerability Analysis alone is not capable of discovering ZERO DAY vulnerabilities. Anyone (Lamer) is capable of running an automated tool but the hardest work comes afterwards, analyzing the results and discarding the false positives (close to 35% of what is reported).

A Vulnerability Analysis usually identifies exposed services without any authentication, default passwords, outdated software, missing patches. etc.

A security test that is based on automated tools (Vulnerability Analysis with selective exploitation), does not allow, from the attacker’s perspective, to identify architectural design and implementation flaws for a specific solution. If there is any supplier that actually exploit the vulnerabilities, this is done based on the results obtained from the automated tool and not based on the attacker’s malice and capacity to interpret the environment.

injection

Figure 1. SQL injection exploit by [email protected]

Unlike a vulnerability analysis, Pentesting (Ethical Hacking), aims to simulate a real attack scenario and procedure in order to compromise the company’s information. Security tests look to assess the effectiveness of the implemented controls, whether it be relevant to the infrastructure or the application. As developers make constant improvements to these systems, continuous pentesting is advised, as it allows them to deploy significantly more secure versions than they otherwise would. Moreover, pen testing allows for a correlation of vulnerabilities which is actually the way a real attacker would look to cause as much damage as possible to the company.

Get started with Fluid Attacks' Penetration Testing solution right now

Diagram

Finding

Figure 2. Vulnerability correlation of findings

One of the most critical factors that Ethical Hacking aims to avoid is the Vulnerability Yield. This can minimized by executing an Ethical Hacking with 100% coverage, in other words, when 100% of the target scope is evaluated.

The only way which the coverage can be determined is by properly delimiting the test that wants to be done. There has to be a standard measurement for this, which is why we propose to delimit Ethical Hacking by a known and previously set scope.

The way to achieve this is by normalizing the drivers by which tests are dimensioned. When we are talking about a security test that evaluates an Application, the number of input fields in the system must be determined. On the other hand, if we are talking about an Infrastructure security test, the amount of open ports must be determined. And finally, if we are executing Source Code Analysis, the number of lines of code is what we need.

Once all of the above scopes are clear, one can be at ease knowing that everything immersed in the technology in mention will be properly evaluated, as opposed to tests that are delimited based on time of execution with automated tools and that only exploit a percentage of the vulnerabilities reported by the tool.

Up next a table that will help us synthesize all the items described above:

Comparative table Pentesting Vs Vulnerability Analysis

AspectPentesting (Fluid Attacks)Vulnerability Analysis (Others)
Revision MethodHybrid (Automated tools + manual expert revision)Static (Automated tools only)
ModelRedTeamVulnerability Analysis with selective exploitation
CoverageVariable CoverageVariable Coverage
Scope DefinitionBased on open TCP ports and visible or invisible form input fields, application headersBased on IP/Host to test and URLs
Professional ProfileOSCP, OSWP, CEHCEH
RetestYesNo
Exploitation100%Variable
False PositivesNoYes (~20%)
Creation of Own ExploitsYesNo
ZERO DAY VulnerabilitiesYesNo
Finding TypesOf a specific business impact, insecure programming practices, alignment with security standards and regulationsBased on signatures. Syntax
Leaks (Yield)0% of the target of evaluation~65% of the target of evaluation
Type of EvidencesImages, GIF or short videoAutomated tool output, Images
DeliverablesExploit Evidence. High-level remediation suggestionsSummary report

Fortunately, when a Pentest is done with Fluid Attacks, our engineers are fully capable of creating their own exploits due to the emphasis they have on programming. This allows them, on many occasions, to exploit ZERO DAY vulnerabilities and report them as soon as possible so as to allow companies to implement the necessary controls in time. Further, with continuous penetration testing, security can run alongside development without hindering its speed. Pentesting is then a valuable technique to enhance the discovery of security issues in the vulnerability management process.

From now on, when a security test needs to be performed because the organization or the current regulations require it, ask yourself, do I want to protect myself against a Lamer or a Hacker?

Share

Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by JC Gellidon on Unsplash

Definition, implementation, importance and alternatives

Photo by Jason Krieger on Unsplash

Keep tabs on this proposal from the Biden-Harris Admin

Photo by Tamas Kolossa on Unsplash

Vulnerability scanning and pentesting for a safer web

Photo by Alexander Ant on Unsplash

Definitions, classifications and pros and cons

Photo by John Schnobrich on Unsplash

Is your security testing covering the right risks?

Photo by Marino Linic on Unsplash

How this process works and what benefits come with it

Photo by Saketh Upadhya on Unsplash

Get an overview of vulnerability assessment

Photo by Anchor Lee on Unsplash

Benefits of continuous over point-in-time pentesting

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.