This may seem an odd statement to make from someone who is trying to sell penetration testing services, but the honest truth is that you may not need a penetration test; at least not yet.

What is a Penetration Test

The first thing to understand is what a penetration test is and what it is not. A penetration test is a test that looks to test the security controls around a target, such as a network, an application, or even a physical building filled with employees. At EliteSec, we focus on the first two - physical penetration testing is out of our scope (but we can point you in the right direction if you’re interested).

Penetration tests are required for certain certifications such as PCI-DSS. While certifications such as SOC2 and ISO 27001 do not require penetration testing explicitly, it is highly encouraged. by most auditors. Contractual obligations are another major driving force, especially when you are dealing with larger, enterprise customers, since they want to ensure your application is secure.

What’s wrong with Penetration Testing

Let me be clear - there is nothing wrong with penetration testing or having a penetration test performed, but the question is whether or not it is the right thing to do first. Often if you have never done a penetration test before, and you’re not doing it because of a requirement for compliance or a contract, it’s best to start with a vulnerability assessment first.

Vulnerability assessments are a type of information security assessment that looks for potential weaknesses, vulnerabilities, and other misconfigurations but does not attempt to exploit them. Think of this as a means to look for low hanging fruit in terms of what an attacker may target. This pre-assessment can go a long way since it can identify the potential weaknesses in the target, and give you a list of items to fix. Not to mention they are often significantly less expensive than a penetration test.

Wait, don’t I get a vulnerability scan as part of my penetration test

Well, it depends. A good quality penetration test will contain a vulnerability scan as part of the test, but it may not be as thorough or as deep as a dedicated vulnerability assessment, where the auditor will do a much more thorough scan, often logging into remote systems to look for potential vulnerabilities as well.

For firms that offer less-than-stellar quality penetration tests, they may just run a vulnerability scan using an automated tool, take the generated report, replace the header and a few images, then hand it to you as their final report. This is borderline criminal and really boils my blood. The key difference is that these scans are often chocked full of false positives and can often cost you even more money in terms of lost time and effort chasing after these “ghost vulnerabilities”.

But won’t I be paying double

Vulnerability assessments do not have to be done before each and every penetration test, but if you’ve never had a penetration test before, or if you’ve done some major re-architecture between tests, then it may make more sense to start with a vulnerability assessment first. At EliteSec, we will credit any vulnerability assessment towards your first penetration test. We want you to be successful, so we want to make it fair especially when your starting out.

Do you have questions around penetration testing and vulnerability assessments? Reach out, we’re more than happy to help clear things up and find out what’s right for you.

– John