A few years back, in a room full of practicing penetration testers. I am listening in to them talking about the problems they perceive in their working environment. I get a bit confused and asked an inconspicuous question:
“How much of your work is risk analysis?”
Ten pairs of eyes looking back at me, with the same look of confusion that I assume I display.
“What do you mean? We don’t do risk analysis.”
One of them explained that they get a scope for the assignment, and that’s what they work with.
For me, then an infosec consultant, this was incomprehensible. Risk analysis is at the core of what we do. It makes us focus on the right things and not waste our customer’s money.
Findings go unpatched
The penetration testers are told where they should look, and what to look for. They hand in their report, which in best case is written in human-readable language, and that’s it. Next year they come back, find the same issues, write their report.
Of course, this is a caricature of a process. I’m sure there are quite a few companies that hire pen testers and actually patch their issues. But some companies simply cannot – or, they make decisions that by extension forbid them from fixing their issues. They are too dependent on legacy systems that are insecure by design. Some have old processes. Some have an old culture ingrained into the walls, a culture that punishes innovation and accepts inefficiency as a fact of life.
This way of working doesn’t work for me. What makes me happy going to work in the morning is the belief that I can investigate a symptom, I can find the root cause of a bug, and I can work towards a solution that will fix the cause long term.
It’s a detective’s work, and you cannot shun any tool. Whether “technical” or “manual”, soft or hard, an efficient tester’s toolbox is big and sometimes unexpected.
This blog post is a part of a series of observations about traditional penetration testing. I try to be constructive, so if you feel attacked by me, please keep up a constructive conversation with me.