Last Updated on July 16, 2010
My mother always used to say “you should never discuss religion or politics with others”. As I’m not very knowledgeable in either, nor do they appeal to me very much, it’s been pretty easy to comply with mom’s guidance.
Over the last few weeks I’ve learned that there is one more item to add to that list – “Penetration Testing”. I wrote a blog on Penetration Testing that was intended to stimulate discussion. The hope was that it would move the conversation forward on an industry subject that sorely needs open and candid conversation that can inch us towards a more standard definition of the same. Instead, what I got was highly negative feedback that was delivered with a fervor reminiscent of a religious zealot. The more rationally I attempted to explain my position the more irrational the response – finally I gave up. My argument was pretty simple – scale the test to ensure that the testing activities are proportional to the risks the client is looking to validate; that is, controlled to an acceptable level.
While I understand the value of a black-box penetration test, ongoing vulnerability research, and writing custom exploit code, I find it remarkable that there are practitioners that insist that unless a test includes the same – that it is not a penetration test. To suggest that the right penetration test for the CIA is the same as the right penetration test for a widget manufacturer, ignores basic risk assessment principles. The cost of the control should not exceed the cost of the risk it mitigates. Where a compromised server at a widget manufacturer may be a mildly business impacting nuisance – a compromised server at the CIA may result in thousands of lost lives. Clearly, the extent and rigor of the testing for the CIA should exceed that of the widget manufacturer. I have yet to meet the widget manufacturer who wants to protect himself from custom written exploit code – it’s a risk that they are simply willing to accept.