In a boardroom across the globe, someone is stating the following: “The results of our pentests prove that our applications and data are safe.” However, at Zerocopter we know better. You should too, because pentests are suboptimal and best described as a snapshot. After clicking, the picture has already aged beyond the point that it does not reflect the current state. This is only one of the problems with the traditional pentest. Here’s the rest.
- Limited budget
A pentest starts with a hypothesis and is answered in the end. Changing the focus of the research mid-way is not possible most of the time, because this will result in a parallel pentest. Budget and time do not allow that.
- Limited scope
A pentest is strongly-defined research based around one question or one subject of testing. This prevents a lack of focus and result, but the consequence is that only a small part of security challenges are taken into account. Therefore, a pentest is best compared to a snapshot.
- Limited time
Pentests are timeboxed with a limited scope, criminals have all the time in the world to look at your digital environment.
- Limited expertise
Typically, one or two people perform a pentest. As experienced as they are, two people have a limited amount of knowledge and expertise as opposed to a whole team of security experts.
- Limited learning by DevOps
Most of the time, DevOps are not involved in the result a pentest brings forth. This limits the possibility of learning precisely in the area where it is needed.
- Limited flexibility
Pentests do not allow the scope to be changed since the time frame is set and the budget is fixed. You can’t add testers with specific knowledge mid assessment.
- Limited possibilities to scale
Calling one of the big four every two weeks to pentest a new release is not sustainable.
- Slow feedback loop
Pentesting takes up much time, slowed down even more by waiting on a report. Also, when that report is finally written, your DevOps-team is already in the next sprint.
Less pentesting, more hacking
Don’t get us wrong: we’re just highlighting the limitations of the pentest here to prove that the notion of safety when relying solely on pentesting, is fragile. That doesn’t mean you should stop pentesting though, but you could consider reducing the number of tests to free up budget for an additional alternative that has something to do with hacking. Read our brochure to find out what we’re aiming at.
Zero Days of Love ♥️ | our CTO explains CDI pipelines and his role in OWASP. If you’re interested...
Written by Zerocopter
February 28, 2020
Share this blog: