Penetration Testing Standards – a Viral Topic at RSAC 2022

Cybersecurity industry experts gathered this week to discuss the most current and pressing issues of the information security sector at the RSA 2022, the world’s leading information security conference. One such topic was penetration testing, the frequent misrepresentation of its results, and the effect on the security infrastructure. The feasibility of exploitation should be the main focus of penetration testing, and it is at the core of VerSprite’s testing methodology: solving for the probability variable in a risk analysis of realistic attack patterns. Tony UcedaVelez, founder and CEO of VerSprite and co-author of PASTA methodology, discusses below the issue of penetration testing standards adherence and the work of CREST (an international non-profit membership organization that represents the global cyber security industry) on raising and upholding professional standards: “It’s still happening in the area of exploit and penetration testing or “pentesting” - vulnerability assessment results being masqueraded as “penetration tests” for many businesses. This misrepresentation and under-deliverance of exploit testing undermines the security assurance of the infrastructure that supports data flows for financial, healthcare, retail, banking, insurance, and many other industries. Ultimately, the companies that unknowingly procure an effort that doesn’t prove the feasibility of exploits against identified flaws and the resiliency of countermeasures may lead to a false sense of security by simply holding a vulnerability assessment. While there is nothing wrong with vulnerability assessments, and they have their time and place (as they are nested in the broader process of exploit testing), overall, comparing the approaches and deliverables around these security activities is comparing apples to oranges. This misrepresentation happened when I transitioned from IT into information security nearly 20 years ago. Since and even before then, there have been many attempts to raise the bar on what constitutes an adequate approach to penetration testing or exploit testing. However, the struggle is real and continues to dilute security assurance across products, networks, and infrastructure. Consequently, it affects all industries and the customers that depend on them. As a member and accredited company, VerSprite Cybersecurity is pleased to take part in promoting the CREST mission. We had a great global representation at the RSAC to discuss scale, approach, and non-negotiables for exploit testing. If you haven’t heard of CREST, they are working to further the mission of accreditation and assurance on various standards, one of which is around penetration testing. They have been collaborating with leaders in the regulatory, privacy, and government space along with colleagues in OWASP® Foundation, MITRE, and Cloud Security Alliance in recent years to further awareness, encourage adoption, and help industries align to well-regarded, community-backed benchmarks, frameworks, taxonomies for what adequate exploit or penetration testing is. It doesn’t stop there either as CREST helps validate what adequate incident response, security architecture, and red-teaming standards accredited firms should abide by when delivering business-to-business security services to global organizations.” VerSprite Security Consulting is proud to be an accredited and quality-assured member of CREST and carries the globally respected certification of cyber security professionals. To learn more about VerSprite’s penetration testing and other adversarial security services, click here.