Full Report
The last few weeks have brought some fairly interesting predictions for 2009 to bear in CSO Magazine columns. Two recent articles caught my eye from a penetration testing perspective. In the first, Brian Chess, CTO of Fortify (they make source code review and software security tools, and he has written a great book on static analysis) predicted that penetration testing as we know it will die in 2009. The premise of his argument is that penetration testing will die and be reborn in a different form, aiming more at preventing bugs from occurring, rather than identifying them (rolling things into QA / SDLC etc). Granted, it’s a fairly valid point *in some respects*, albeit a biased one if you consider what he does for a living.
Analysis Summary
# Best Practices: Validating Security Posture Through Penetration Testing
## Overview
These recommendations focus on the continued necessity and strategic integration of penetration testing, even amidst predictions suggesting a shift entirely towards preventative security development lifecycles (SDLC/QA integration). They emphasize that penetration testing remains crucial for assessing existing, operational environments against real-world, multi-layered threats and for addressing compliance requirements.
## Key Recommendations
### Immediate Actions
1. **Validate Operational Environment Security:** Immediately schedule penetration tests targeting existing, deployed applications and infrastructure, recognizing that legacy and un-audited applications remain active sources of risk.
2. **Ensure Compliance Coverage:** Verify that current penetration testing schedules explicitly meet the requirements stipulated by mandatory regulations, industry standards, or internal organizational policies.
3. **Obtain Attacker Perspective Documentation:** For any existing security policy or control, seek documentation that explicitly validates its effectiveness against current, real-world attack methodologies (i.e., results from recent penetration tests).
### Short-term Improvements (1-3 months)
1. **Integrate Pen Test Feedback into Remediation:** Establish a documented process where findings from penetration tests are systematically prioritized and fed directly into the ticketing/patch management system for immediate remediation tracking.
2. **Measure Return on Security Investment (ROSI) Tactically:** Use penetration test results to quantify the effectiveness of recent security tool deployments or incremental defense upgrades. Document improvements in exploit success rates over successive testing cycles.
3. **Baseline Threat Landscape Awareness:** Conduct a focused assessment comparing current penetration testing scope and techniques against known emerging attack vectors identified in industry reports (e.g., new zero-days or evolving threat group TTPs).
### Long-term Strategy (3+ months)
1. **Establish Penetration Testing as a Continuous Cycle:** Move beyond one-off assessments to incorporate regular, consistent penetration testing as an intrinsic part of the overall annual information security strategic improvement program.
2. **Align Penetration Testing with SDLC Goal Setting (Hybrid Approach):** While focusing on prevention in SDLC, use penetration testing feedback strategically to *inform* prevention efforts. For instance, if penetration tests repeatedly find the same class of injection flaw, mandate specific secure coding training for development teams addressing that pattern.
3. **Develop Security Steering Based on Offense:** Formalize the process where penetration testing insights are used to guide long-term security policy steering, ensuring policy adaptation aligns with the current threat landscape revealed by expert adversarial simulations.
## Implementation Guidance
### For Small Organizations
- **Focus on External Perimeter Testing:** Prioritize external penetration tests to confirm the security of public-facing assets, as these often represent the easiest entry points identified by cybercriminals during economic turmoil.
- **Leverage Compliance as a Driver:** If compliance (e.g., PCI DSS, ISO 27001 requirements) mandates testing, use this mandatory procedure as the primary justification for budgeting and executing the assessment.
### For Medium Organizations
- **Implement Multi-Stage Testing Scope:** Ensure tests simulate multi-stage attacks rather than just checking individual vulnerability points. This models real-world, complex compromises.
- **Measure Improvement Incrementally:** Establish measurable security posture metrics tracked via penetration testing results to efficiently allocate limited resources to the highest-impact defensive improvements.
### For Large Enterprises
- **Formalize Pen Testing as a Check/Balance:** Integrate penetration testing results into governance reporting structures to provide objective feedback against internal security teams, ensuring checks and balances exist against potential overconfidence in internal audits.
- **Monitor Emerging Tech Vectors:** Dedicate specific penetration testing cycles to assess security viability of newly adopted, complex technologies (e.g., new cloud services, emerging IoT/OT integration) to gain leading indicators on future threats.
## Configuration Examples
*(The source material discusses the *value* of penetration testing, not specific technical configurations. Therefore, configuration examples are omitted, focusing instead on procedural configuration.)*
**Procedural Configuration Recommendation:**
*Document the feedback loop:* Configure the ticketing system workflow to require mandatory sign-off by the security manager confirming that a penetration test finding has been successfully remediated and re-tested for efficacy before the ticket can be closed.
## Compliance Alignment
- **Regulations and Standards:** Penetration testing activity directly supports evidence requirements for compliance frameworks such as:
- **PCI DSS:** Requirements related to external and internal vulnerability scanning and penetration testing.
- **ISO/IEC 27001:** Supporting evidence generation for managing information security risks (A.12.6.1 External and internal information systems an audit processes).
- **NIST SP 800-53 / CSF:** Supporting assessment controls related to continuous monitoring and penetration testing verification.
## Common Pitfalls to Avoid
- **Treating Pen Testing as a Silver Bullet:** Do not assume that a successful penetration test absolves the need for robust, preventative SDLC practices (like Secure Code Review or Static Analysis). Pen testing amplifies results when paired with other controls.
- **Focusing Solely on New Code:** Failing to test operational or legacy systems based on the assumption that future prevention efforts will suffice. Existing deployments must be validated today.
- **Ignoring Increasing Cybercrime Pressure:** Assuming economic downturns reduce the threat; instead, recognize that financial pressure often increases the motivation and sophistication of cyber adversaries, demanding *more* frequent testing.
## Resources
- **Source Material Context:** The arguments presented reflect the ongoing philosophical debate between **Preventative Security (Static Analysis, SDLC integration)** and **Operational Validation (Penetration Testing)**. Effective security requires leveraging the strengths of both.