Cyber security industry experts gathered this week to discuss the most current and pressing issues of the information security sector at the RSA 2022, the world’s leading information security conference.
One of such topics was penetration testing, frequent misrepresentation of its results, and the effect on the security infrastructure. The feasibility of exploitation should be the main focus of penetration testing, and it is at the core of VerSprite’s testing methodology: solving for the probability variable in a risk analysis of realistic attack patterns.
Tony UcedaVelez, founder and CEO of VerSprite and co-author of PASTA methodology, discusses below the issue of penetration testing standards adherence and the work of CREST (an international non-profit membership organization that represents the global cyber security industry) on raising and upholding professional standards:
“It’s still happening in the area of exploit and penetration testing or “pentesting” – vulnerability assessment results being masqueraded as “penetration tests” for many businesses.
This misrepresentation and under-deliverance of exploit testing undermines the security assurance of the infrastructure that supports data flows for financial, healthcare, retail, banking, insurance, and a multitude of other industries. Ultimately, the companies that are unknowingly procuring an effort that doesn’t prove the feasibility of exploits against identified flaws, and prove the resiliency of countermeasures may be led to a false sense of security by simply holding a vulnerability assessment. While there is nothing wrong with vulnerability assessments, and they have their time and place (as they are nested in the broader process of exploit testing), overall, comparing the approaches and deliverables around these security activities is comparing apples to oranges.
This misrepresentation was happening when I first transitioned from IT into information security nearly 20 years ago. Since and even before then, there have been many attempts to raise the bar on what constitutes an adequate approach to penetration testing or exploit testing. But the struggle is real and continues to dilute security assurance across products, networks, and infrastructure. Consequently, it affects all industries and the customers that depend on them.
As a member and accredited company, VerSprite Cybersecurity is pleased to take part in promoting the CREST mission. We had a great global representation at the RSAC to discuss scale, approach, and non-negotiables for exploit testing.
If you haven’t heard of CREST, they are working to further the mission of accreditation and assurance on various standards, one of which is around penetration testing. They have been collaborating with leaders in the regulatory, privacy, government space along with colleagues in OWASP® Foundation, MITRE, Cloud Security Alliance in recent years in order to further awareness, encourage adoption, and help industries align to well regarded, community-backed benchmarks, frameworks, taxonomies for what adequate exploit or penetration testing is.
It doesn’t stop there either as CREST helps validate what adequate incident response, security architecture, red-teaming standards should be abided by accredited firms when delivering business to business security services to global organizations.”
VerSprite Security Consulting is proud to be an accredited and quality assured member of CREST and carries the globally respected certification of cyber security professionals. To learn more about VerSprite’s penetration testing and other adversarial security services, click here.