_edited.png)
What exactly is a pentest ? How does it work? What are the objectives ? Pentests are often the most popular offer among cybersecurity experts, but are they really THE solution ?
Last Wednesday, the technology, cybersecurity and hacking podcast, Paul's Security Weekly, welcomed its newest member, Adrian Sanabria. Adrian Sanabria, co-founder and director of research at Savage Security, has nearly 13 years of experience in implementing security programmes, cyber defence for large financial organisations, and penetration testing.
Penetration testing, or pentesting, was the first topic Paul, the host of the podcast, discussed as he welcomed Adrian Sanabria. The latter is indeed well known for having led a large campaign "against pentesting" in 2017.
Penetration testing, also known as "ethical hacking" is the simulation of a cyber attack to determine the vulnerability of computer systems or networks(1). The IT experts in charge of conducting a pentest use the same methods or techniques used by real hackers.
When carrying out a pentest, several approaches are possible: the black box audit (no information is given to the testers before carrying out the attack, they only have the name of the company, an IP address or a URL at their disposal); or the grey box audit (the pentesters attack the company with some information about their target in their possession)
And it is against these two forms of pentesting that Adrian Sanabria has led his fight, describing these solutions as "mediocre".
In his opinion, pentests are not enough. He explains that a pentest report "reports on the symptoms of the problem, not the root cause". Expensive, many companies cannot afford more than one or two pentests per year, which only allow the delivery of a vulnerability report, of variable exhaustiveness, but which does not explain the causes, nor correct them.
He is therefore in favour of an evolution of practices that he considers outdated : it is necessary for experts to see beyond simple pentesting, and to take the time to look for the origin of problems, to take the time to correct the flaws detected, and thus deliver more value to customers. He also insists on the importance for experts to accompany their clients over the longer term, because very often, a lack of support and follow-up in the implementation and configuration of security processes are the cause of many vulnerabilities.
In his opinion, this does not cost more money or time: experts, in possession of all the necessary information, can then identify weaknesses more effectively and spend more time addressing the root causes of the problems.
In our opinion, we should not go to the opposite extreme, and it should be remembered that pentesting remains a useful method for verifying the effectiveness of the implementation of countermeasures, following an audit and remediation campaign, but it cannot effectively be the core of a cybersecurity strategy.
The white-box audit is not a pentest per se, it is a much more advanced system security analysis. The white-box audit provides a comprehensive assessment of internal and external network vulnerabilities. There is a close relationship between the white-box testers and the developers, which provides the experts with a high level of knowledge of the system, and which allows the latter to operate on the basis of knowledge not available to hackers (2).
At the heart of such a strategy, we at CyberSecura believe that the white box audit should be one element among others, within a long-term support that also integrates the study of causes and countermeasures, their explanation to the client's teams, the support of the implementation of these countermeasures, and the verification of compliance of their setting up. This is also made more effective by raising awareness and training the teams.
This is what we always recommend to our clients, and this strategy for long-term effectiveness is generally appreciated by our clients, who understand the importance of being long-term.
Related blog posts:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
Find out more about our cybersecurity audit services !
We need your answers !
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter !
Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !