At RSA 2018 in San Francisco today Adrian Sanabria, director of research at Savage Security, presented a session on why he believes it’s time to kill the network pen test.
Sanabria explained that whilst the concept of pen testing does and will continue to have value, there are problems in the design and execution of many current network pen test methods that result in them failing to be effective.
Sanabria said that pen testing made a lot of sense in the 90s, as back then “everything that you could use to hack into an organization was pretty much going to be discovered in a pen test. The landscape is vastly different these days.”
What’s more, whilst current pen testing tools get better and better in terms of their sophistication, the precipitants of them really don’t know how to make things better aside from applying a patch or changing a default credential – that’s not really solving the problem, Sanabria argued. “Amazing tools are out there but the technology and level of maturity of pen testing as a skill has far outgrown the average company’s ability to defend themselves.”
There’s also the issue of pen tests being “a very slow and expensive way to work your way through just a few of the CIS Top 20” whilst they don’t help you with the basics.
Ultimately, Sanabria said that current pen tests aren’t working; they’re not making organizations safer and they’re not making defenders better because they:
- Focus on symptoms, not root causes
- Focus on preventative controls, not detection
- Focus on depth, not breadth
- Focus on finding issues, not fixing them
- Have a lack of improvement metrics
However, there is a need for them, he concluded, as they can convince organizations to take security seriously. Any replacement for pen tests will have to also satisfy that requirement, but they need to be made more effective and give defenders what they really need: maturity, confidence and resilience.