However, the question is what are the real benefits of a pentest for the client company?
What is the real value of a penetration test?
Many clients have misconceptions and false assumptions about penetration testing and they are engaging this type of projects for the wrong reasons, like:
- After a penetration test I will be safe
- A penetration test will find all of my vulnerabilities
- I’ve heard that pentesting is ‘sexy’ so I would like one myself
Companies who do penetration tests for these reasons do not get the real benefits of this service and they are practically throwing away the money.
From my perspective, a penetration test has the following true benefits for the client company:
1. It reveals a set of vulnerabilities
Not all of them. The number of identified vulnerabilities is directly related to the time length of the test, the skills of the testers and some other factors like [good/poor] network connectivity, active web application firewalls, application instability, system changes during test, etc.
However, a penetration test usually focuses on the high risk vulnerabilities and, if none found, it analyzes the medium-low risk ones. That is why, in order to improve the security of the target systems, multiple penetration tests and vulnerability assessments should be performed periodically.
2. It shows the real risk of vulnerabilities
Due to the fact that penetration testers attempt to exploit the identified vulnerabilities, the client company can see what an attacker could do if those vulnerabilities were really exploited in the wild (e.g. gain access to sensitive data, execute operating system commands, attack users, etc).
Sometimes, a vulnerability that is theoretically classified as high risk can be rated as medium or low risk because of the difficulty of exploitation. On the other hand, low risk vulnerabilities might have a high impact because of the context so they may become high risk. This analysis can only be performed by specialized people.
Furthermore, human analysis of vulnerabilities ensures that no false positives are present in the report. This is helpful for the client company to reduce the time spent for investigating and fixing the vulnerabilities.
3. It tests your cyber-defense capability
During a penetration test, the target company’s security team should be able to detect multiple attacks and respond accordingly on time. Furthermore, if an intrusion is detected, the security and forensic teams should start investigations and the penetration testers should be blocked and their tools removed.
The effectiveness of your protection devices like IDS, IPS or WAF can also be tested during a penetration test. Many of the attacks should be automatically detected, alerts should be generated and dedicated people should act according to the company’s internal procedures.
4. It offers a third party expert opinion
Many times, the management of a company does not really act when certain problems are signaled from within the organization. Even though IT people or security people present some issues to the management, they do not receive the necessary support or funding.
In this situation, the report produced by a third party ‘expert’ may have a bigger impact on the management of the client company and it may determine allocation of additional funds for (security) investments.
5. It helps comply with regulations and certifications
Some national laws or well known certifications (e.g. ISO27001, PCI DSS) require companies to perform penetration tests against their information systems. Even though ticking a checklist is not the best reason to do a penetration test, it is better than not having any verification.
However, it is important for the client company to take actions after receiving the pentest report. The test has no value if the vulnerabilities are not being fixed by the company; the risks will still be present and they will be probably found again at the next penetration test.