What is the end result of a penetration test?

609    Asked by Anil Mer in Cyber Security , Asked on Apr 13, 2022

 I'd like to ask you what should be a satisfactory result of a pen-testing job?


My main concern is that pen-testing is hard and it won't always result in gaining remote shells or roots. However, it is much easier to list potential vulnerabilities.


For example, if there's PHP version 4 from 2007 I can list it as a potential vector but I may be unable to exploit it. Is successful exploitation a requirement for a pen-testing job? Would vulnerability be a good result of the job as well if there's some successful exploitation included (but accounts for less than 1% of all possible issues).

Answered by Andrew Jenkins

The answer to your question - What is the end result of a penetration test is - you have to actually attack the target system and keep a record of your successful and failed attempts. It's not sufficient to simply conclude that a server should be vulnerable because your fingerprinting tools revealed an outdated software version. You are explicitly taking the perspective of an attacker and have to demonstrate how the system can be penetrated. The SANS Penetration Testing paper makes the following distinction (although definitions vary): Pen-Testing vs. Vulnerability Assessment

[There] is often some confusion between penetration testing and vulnerability assessment. The two terms are related but penetration testing has more of an emphasis on gaining as much access as possible while vulnerability testing places the emphasis on identifying areas that are vulnerable to a computer attack. [...] A vulnerability assessor will stop just before compromising a system, whereas a penetration tester will go as far as they can within the scope of the contract. That said, your average customer is probably unaware of this distinction and maybe doesn't really want you to spend too much time going "as far as you can". It might be more important to them to receive clear instructions on what exactly needs to be fixed rather than getting a list of all your root shells. You will have to find out beforehand what they effectively want to achieve by letting you test the system. Your customer should be aware that a penetration test is not equal to a comprehensive security assessment.



Your Answer

Interviews

Parent Categories