Nick Rafferty, Chief Operating Officer at SureCloud, explores penetration testing.
10 years ago, Penetration Testing was viewed as a luxury service, typically aimed at ensuring that companies’ network perimeters were secured against malicious external attacks. The majority of organisations doing this type of test would extend the service to their internal networks, so they could establish how far an external attacker would get if they breached the perimeter, and also to ensure they understood the level of protection against any insider threats.
The tests were typically conducted once per year, with the time in between tests spent wading through the output – most likely PDF documents – to extract the key findings and turn them into operational activities aimed at rectifying the issues that were discovered.
More recently, we have seen the emergence of vulnerability scanning software, an automated way to perform more frequent vulnerability testing, but not to the level of rigour the company would receive from a penetration test performed by a security expert. These automated scans were seen as a major step forward in security assurance, with the penetration test providing the ‘rigour and depth’ of human testers and the vulnerability scanning being seen as the ‘frequency and breadth’ that automation could deliver.
The commonality across the vulnerability scanning providers was that they all had a management capability which would deliver the output in the form of interactive reports, and automate the remediation process. So for a number of years we were left with the scenario whereby the company would be penetration testing annually, and vulnerability scanning on a monthly or bi-monthly basis.
But if we look at how the security landscape has evolved over the last 1-3 years alone, we can see significant shifts:
Nick Rafferty, COO at SureCloud