Cатсн²² (in)sесuяitу / ChrisJohnRiley

I’ve come to realize over the past few weeks that I’ve made a fundamental flaw in how I handle penetration tests. It all started to become clear at the SANS Amsterdam when the topic of arranging Penetration Tests was raised. I’ve never really taken the time to think how the people on the other side of the fence feel. After all, if the people you are dealing with to arrange the tests aren’t the ones who asked for it, then it’s easy to get the wrong idea. After all we as Penetration Testers arrive and ask for information on the environment, security measures and systems and then tear it all apart. Once we’re done we write a nice report to the boss and leave in the knowledge of another job well done. The technical team at the customer though has to then deal with the boss, who now thinks his security team is a joke. Is this the kind of thing you’d want to happen after you leave site and move onto the next test? of course not.

Working together with the security or technical team at a customer may seem like more hassle than it’s worth. However I’d much rather leave site knowing that the security of the customer will be improved and the technical team will know how to accomplish the task. Maybe the technical team will be the ones to suggest a follow-up inspecting in 6 or 12 months just because it wasn’t a negative experience like they had imagined. The technical team of today could be the CTO of tomorrow, and the sour taste we leave behind now could mean our industry crumbles in 10 years time. There is already talk amongst security industry figureheads saying that Penetration tests are pointless. Bruce Schneier post an article on this back in May 2007. Recently Marcus Ranum from Tenable Security also talked openly on the Risky Business podcast about how Penetration tests are ineffective and have a negative impact on employee morale.

I for one will be thinking about how my client feels next time we engage in a penetration test. That’s not to say that I won’t do my job and expose the gaps in security. However when I do, I’ll be working alongside the clients technical team to make sure they know the why and how of the problem as well.