Security Testing

Business Insights

With huge numbers of people conducting their business and significant parts of their personal life online, it’s critical that we can do so securely. To ensure that systems are as secure as possible, we can perform security testing. In this article I’m going to give an overview of two types of security testing known as vulnerability scanning and penetration testing.

Penetration testing, often abbreviated to PenTesting, is a type of manual security test performed against a specific system with the intention of exploiting discovered vulnerabilities to determine their real-world security risk. These are generally time-limited assessments and generally limited to technical techniques only but may include additional techniques such as social engineering or physical access testing.

Penetration testing can be thought of as sitting on a spectrum where on the left we have vulnerability assessments and on the right we have penetration testing. This allows us to compare the differences and also acknowledges there is potentially some middle ground between the two.

Vulnerability assessments (VA) are typically entirely automated, with a software tool being given an assessment scope and it then attempting to automatically find security weaknesses. A key difference with penetration testing therefore is the fact that vulnerability assessments are typically entirely automated whereas penetration testing is predominantly manual. This can be a positive or a negative. It’s a good thing, as licenses for vulnerability scanners typically allow any number of scans to be performed over the license period, therefore this can be a cost-efficient approach to finding security weaknesses. If you make changes to your systems which you may think may have introduced a security issues, then you can start another scan and see.

It can also however be a negative, in such that an entirely automated system will lack the intelligence of a manual penetration tester and this can lead to issues being missed (false negatives), issues being highlighted that are not actually present (false positives) and vulnerabilities being incorrectly graded, as the automated system might not have the full context to grade a weakness correctly. This can be frustrating where a minor issue is graded more highly and therefore wastes resources which could have been prioritized elsewhere, or where a major issue is graded too low and therefore responding to that issue is delayed.

The key difference though, is the fact that vulnerability assessments don’t exploit issues, and therefore don’t allow for vulnerabilities to be chained together. This could mean that you get a false sense of security, if you see only low risk issues in your scanner output you might not take swift action – but an experienced penetration tester would tell you it’s not uncommon for a few “lows” to be used in combination and become a high risk situation.

If you’ve read this far you might get the impression that, well PenTesting just sounds better and maybe you should just do that. It’s true, that PenTesting has a lot of benefits and is certainly likely to lead to more accurate, contextual, results – but as with all things there’s a balance to be had.

You’ll get the most out of any kind of security testing when you start with looking at what you’re trying to get out of the assessment. For example, if you just want to know that your patching policy and process is working, a vulnerability scan would likely deliver that to you in a highly accurate and cost-efficient way. Many scanners can be configured to perform an authenticated scan of your systems and then they’ll simply login, grab the list of installed security updates and compare that to the list of available security updates from the vendor – if the lists don’t match you’ve got an issue, if they do then you’ve got assurance.

If instead you’re looking for what kind of impact could a dedicated and skilled threat actor do, if they targeted one of your digital systems with the specific intent of compromising that system, then penetration testing will likely be better. It will get you far more accurate results and will be able to demonstrate the risk too, by showing which issues can be readily exploited and what leverage a threat actor would have if they were successful in exploiting a present vulnerability.

I hope this introduction to security testing has given you a little more detail about the types of testing that can be conducted and the benefits and drawbacks of each. However, it’s fair to note there’s even more to security testing out there – such as red teaming or bug bounties and there’s a lot to be said about vulnerability management and remediation, but I’ll save that for another time.

Author: Holly Grace Williams, Managing Director at Secarma Ltd. -