It amazes me that most of the “security companies” that offer penetration testing services don’t know what penetration testing is. Specifically, they don’t deliver penetration tests even though they call their services penetration testing services. In most cases their customers think that they’re receiving penetration tests but instead they’re receiving the lesser quality vulnerability assessment service.
When customers are looking to purchase penetration testing services they should receive penetration testing services. Likewise, when they’re looking to purchase vulnerability assessment services they should receive vulnerability assessment services. Unfortunately, customers won’t know what they’re receiving unless they clearly understand what those services are and how those services are defined. The services are not interchangeable and they are Â entirely different.
The English dictionary defines a Penetration Test as a method for determining the presence of points where something can make its way through or into something else. Penetration testing is not unique to Information Security and is used by a wide variety of other industries. Â For example, penetration testing is used to test armor by exposing the armor to a level of threat that is usually slightly higher in intensity than what it will face in the real world. If the armor is defeated by the threat then it is improved upon until it can withstand the threat.
The standard product of penetration testing is a report that identifies the points where penetration is possible. Â If the service that was delivered was a real penetration test then the report cannot contain any false positives. You either penetrate or you don’t, there is no grey zone. If the report contains false positives than a service that was delivered was not a true penetration test and was likely a vulnerability assessment which […]