24/10/18 | News
Dr Frans Lategan, Principal Consultant, Aura Information Security
Often businesses might think they’re getting a really good price on a penetration test, when in actual fact they aren’t getting a ‘penetration test’ at all.
In many cases, cheaper options put forward by security companies only use the results of a vulnerability scan or tool, which is usually presented to clients in an impressively thick document that might look the part, but doesn’t actually contain any information that’s of real value.
To ensure your business is getting the most out of a penetration test, it’s important to know the difference between a penetration test and a vulnerability scan. According to Dr Frans Lategan, Principal Consultant at Aura, there are a few things to watch out for or consider:
- Pen tests hardly ever contain false positives – each vulnerability listed in the report has been exploited by the consultant, with evidence attached.
- Pen tests contain executive summaries and an assessment of the overall risk, this helps companies better understand their overall security posture.
- Pen tests often contain new or novel attacks or findings that are clearly not the output of an automated tool.
- A pen test is a sample of what a real, determined attacker would be able to find if they targeted the same site, whereas as simple vulnerability scan would be what a script kiddie would find.
- Pen testers make use of vulnerability scans as well to target their efforts, but the vulnerability scan is just a small part of the overall process, not the complete and final deliverable.
Next time your business is conducting a pen test, ensure you cover off the above with your supplier. And, most importantly, check that it is in fact a person carrying out the pen test because, unless you’re testing your defences from the point of view of a real-life attacker, you might not really be putting your defences to the test at all.