The Dilution of Pentesting
By Daniel Miessler on December 13th, 2005: Tagged as Information Security | Rants
Penetration Testing is one of the most advanced skills within the information security field. It requires not only extensive knowledge but also an analytical and often times creative mind. It’s generally accepted in the community to be an area reserved for the best and most experienced within the infosec field.
While the pentest process involves mostly manual techniques, there are tools available that can assist one during the process. Most of these tools, however, do only small pieces of the process. They cover information gathering, vulnerability scanning, etc. No tool has ever claimed to be able to go from start to finish through an entire pentest — well, none until recently.
There’s a new tool on the scene that supposedly can do everything. It claims to be able to do the discovery, the scans, and finally the compromise and privlege escalation as well. Many in the industry are bothered by this for a number of reasons. First, there’s the primal fear issue. Will we be replaced by a well written piece of software? Ultimately the answer to that is no, but the second question is more poignant.
Will tools like this cheapen the discipline of pentesting — effectively making it available to less-skilled professionals?
The answer is yes, and I can tell you first-hand that it’s the case. Just now I was installing this tool (my company is all about it right now) and was given two options for doing port scans. I could either do the defaults or do custom scans. Fair enough. The problem was the subtext for the custom scan; it read:
“For advanced users.”
Excuse me? Is there another kind of user doing pentests? Evidently so. I openened the menu (to unveil the “advanced” options, you understand) and found timing options for how long to wait before sending “SYN” packets. Wow. That’s high-level stuff.
Keep in mind, this tool is used to emulate a full-blown attack on a customer’s network. this is supposed to be performed by highly qualified professionals with years of IT experience. As I said, it’s one of the most advanced skillsets an information security professional can have. The direct implication that the company that made this tool thinks there would be people performing pentests who didn’t know how port scans worked is quite scary. Worst of all, it’s a sign of things to come. More and more will be calling themselves “pentesters” on the grounds that they were able to get a license for an automated tool. It’s quite sad.
Ultimately it won’t matter because the results that a true pentester can get will always surpass the results of the unskilled wielding applications. But in the meantime our discipline will take yet another hit in the credibiliy department. When managers hear about this sort of application they automatically assume that running foo_tool is a pentest. And that mistake right there is what leads to a great many professionals (and their skillsets) being undervalued.