I am a penetration tester by trade. What does that mean I do in my day-to-day? Well, that depends on whom you ask, as it is open to interpretation. Penetration testing means different things to different people. What it meant a decade ago is different from what it means today, and that will be different from what it means a decade from now. So, maybe what we really need is a new term for the old standard ‘penetration test.’ Originally, the idea of a penetration test was to get into a client's network through bypassing security controls (hence the word penetration). This was aimed at getting domain admin credentials and / or access to specific data – a textbook definition of a Penetration Test if there is such a thing. However, “to test if you can penetrate a security control” now means many different things (not all of which I agree with). Penetration Testing has also become:
- A Burp scan because it attempts things like SQL injection and code injection. The logic here is that if you bypass a filter and are able to cause an error, you have bypassed a security control and, thus, have completed a penetration test.
- A web application assessment. Again, the logic is to try and bypass security controls using SQL injection, logic flaws for directory traversal, etc. – by bypassing these controls, you have completed a penetration test.
- Validating a network share / FTP server allows read / write / execute access. Because you have been able to confirm you can access a share, as well as upload and download files, this is a penetration test.
- A vulnerability assessment where the highest finding is exploited. This also can be considered a penetration test because it is testing if the exploitation is real.
Much of the blame can be on companies or individuals attempting to sell things that are not penetration tests in order to make more money. Profit is a big motivator for an unscrupulous agenda, and infosec is no stranger when it comes to shady practices, FUD and snake oil. So, our industry will take an ambiguous term like penetration testing and reduce it down to the lowest denominator to make the most profit. “Advanced Penetration Testing” is different from pentesting, right? Well, you would like to hope all penetration tests are advanced. The other part of the problem is in the wording “penetration testing.” Some practitioners use goal-oriented penetration testing, which helps to differentiate this from a simple vulnerability assessment. Depending on the goals, penetration tests may differ from one another. My belief is that the concept of penetration testing is to go from external to internal, escalate to domain admin, and / or gain access to critical data. This could require exploitation or not; it could require pivoting if needed; and in most cases, it requires remote control somehow (beacon, shells). The idea is that it is more than a scan and more than just exploitation. Basically, it is “a story of how we got in/to your data.” This may be what the term “Red Team” has come to represent. For these reasons, perhaps we need a more defined version of penetration testing than we currently have. You can hear me discuss the future of penetration testing and the current issues during my talk at BSidesLV entitled: ‘Automation of Penetration Testing and the Future’
About the Author: Haydn Johnson has over 3 years of information security experience, including network/web penetration testing, vulnerability assessments, identity and access management, and cyber threat intelligence. He has a Masters in Information Technology, the OSCP certification and has recently gained the GXPN certification. Haydn regularly contributes to the InfoSec community primarily via Twitter and has spoken at BSides Toronto and Circle City Con. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
