Are penetration tests effective at determining risk?

2.6k views3 Upvotes5 Comments

CISO, 10,001+ employees
You're going to go through this as you do your attack and penetration test management response. When you have a security researcher or an attack and penetration security researcher come in and attack you in a certain way, they will say, “We found something and it was bad.” They won’t specify the way they got through all the different protections you had around them, how fast you found them, all of those things are left out of context.

As you build up your management, your response, you say, "Wait a second, wait a second I understand when you look at that with tunnel vision, it looks like we had a failure, but when you look at all these things wrapped around it, that high or critical really becomes a low. Because there's no way you would have been let in the door freely the way we let you in, because we wanted you to do this testing on us.” So that already brings it down a notch. We have all these external protections. From my perspective, it's really getting that context. It's not just this, “do you have it or don't you have it?” It's putting it in that context, what that rappers around it, to really give companies an understanding of true gaps. Because those true gaps are the things you just cannot ignore.
4 1 Reply
Director in Consumer Goods, 51 - 200 employees

In my previous job we focused on security assessment and pen testing to see what could be identified to validate security practices.

Director of IT in Healthcare and Biotech, 10,001+ employees
Couple of aspects to be considered about penetration testing for it to effective:

Just testing the application is not sufficient. Each layer in your architecture is almost equally vulnerable. End points, applications, network, servers, etc., everything should be within the scope of pen testing.

Pen testing is not a static entity. The strategy, scope, approach and process to execute penetration testing should be visited frequently. As the technology and the threats associated with it change frequently, the effectiveness of once great pen testing diminishes very quickly if not updated often. It should be revisited and redefined atleast every quarter, if not more frequently for it to provide the value it could.

Pen Testing is a tool, and just as any other tool, can be effective if only used well. When implemented well, and by keeping it current and active, it can serve the organization well.
Chief Information Officer in Healthcare and Biotech, 1,001 - 5,000 employees
Penetration testing is a useful tool as part of a holistic risk-based approach to cybersecurity. The point is it is a tool, and not the ultimate indicator of risk in an infrastructure. While pen tests can reveal a lot about an infrastructure in a short period of time, it is important to understand what the exercise reveals. Vulnerabilities are critical ingress points for attackers. However, the majority of data beaches are due to weakness in staff awareness such as email phishing or malware. Pen test results are helpful for identifying and remediating vulnerability entry points but have little to no usefulness in measuring staff awareness or susceptibility to lateral movement of an attacker in a malware outbreak.  

Rather than purely focusing risk assessment resources on measures such as pen testing, it may be a better security posture approach to find effective ways of improving monitoring, identifying weak resources that allow lateral movement of hackers and taking remedial action against malware and other threats that may already exist in an organizational infrastructure.
Senior Information Security Manager in Software, 501 - 1,000 employees
No.  The pen test will only report on vulnerabilities.

Your risk management team must take the results of the pen test, and as part of your risk management process, determine the risk those vulnerabilities create for your organization.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.6k views131 Upvotes319 Comments

Structured Business Data62%

Unstructured Business Data37%


1.9k views2 Upvotes

Fraud mitigation19%

Protection of reputation and brand56%

Protection of consumer data19%

Regulatory or compliance requirements6%