The Wisdom and Folly of Penetration Testing
The adage is true that the security systems have to win every time, the attacker only has to win once.
— Dustin Dykes
Think of a prison warden who hires an expert to study his institution’s security procedures, concerned about any gaps that could allow an inmate to slip out. A company follows that same line of thinking when it brings in a security firm to test the sanctity of its Web site and computer networks against intrusion by seeing whether hired attackers can find a way to access sensitive data, enter restricted parts of the office space, or otherwise find gaps in the security that could put the company at risk.
To people in the security field, these are penetration tests — or, in the lingo, “pen tests.” The security firms that conduct these drills are frequently staffed by (surprise, surprise) former hackers. In fact, the founders of these firms are themselves frequently people who have extensive hacker credentials that they prefer their clients never find out about. It makes sense that security professionals tend to come from the hacker community, since a typical hacker is well educated in the common and not so common doorways that companies inadvertently leave open into their inner sanctums. Many of these former hackers have known since they were teens that “security” is, in a great many cases, a serious misnomer.
Any company that orders a pen test and expects the results to confirm that their security is intact ...