Will vulnerability assessments and penetration testing find all the security vulnerabilities in your systems?

Will vulnerability assessments and penetration testing find all the security vulnerabilities in your network and systems? Well, the simple answer to that is probably not; that is, of course, unless you are prepared to spend an awful lot of time, effort and money on it. So why bother having your systems tested then? Well, because it is still vitally important to protect your network from vulnerabilities. What is required is closer co-operation between the client and the pen tester.  From a client’s perspective it’s about the importance of setting expectations and defining the requirements for penetration testing.  From a tester’s point of view it’s a question of gathering as much information as possible about the internal workings of the business and the systems to be able to do a comprehensive vulnerability assessment.

Whilst penetration testing may not be able to find all the security vulnerabilities in a system, it remains important because it can help to identify vulnerabilities that businesses would struggle to find on their own. Vulnerabilities like:

  • Technology-specific and platform-specific vulnerabilities
  • Configuration and deployment mistakes in the run-time environment
  • Problems in areas like authentication and session management that should have been taken care of by the framework that you are using – if it works and if you are using it properly
  • Problems in information leakage, object enumeration and error handling – problems that look small to you but can be exploited by an intelligent , motivated and determined attacker
  • Mistakes in data validation or output encoding and filtering, that look small to you but could have significant consequences

Even that assumes that the business has already managed to self-fix obvious system vulnerability issues like any weaknesses in workflow or access control or password management or a race condition.

The real purpose of penetration testing isn’t necessarily to find all of the bugs in a system: it’s to get information, like:

  • Information on the types of bugs in the application that need to be reviewed and fixed, how they were found, and how serious they are.
  • Information that you can use to calibrate your development practices and controls, to understand just how good or poor you are at building software.

According to James Bach of Satisfice, ‘penetration testing doesn’t provide all possible information, but it provides some. Good testing will provide lots of useful information.’

This information will then highlight other issues that need to be addressed, such as:

  • How many other similar bugs could there be in the code?
  • Where else should the tester look for bugs?
  • What other kinds of bugs or weaknesses could there be in the code or the design?
  • Where did these bugs come from in the first place?
  • Why did the business make that mistake initially?
  • What didn’t the business know or understand?
  •  Why weren’t the problems identified earlier?
  • What needs to be done to prevent future bugs?
  • Are the bugs serious or numerous?

For more advice and information on vulnerability assessments and penetration testing, or web security solutions, please contact Krypsys on 01273 044 072 or [email protected].