Offensive Security Operations: Penetration Testing of the Future

From my professional experience, I have only secured environments that conducted penetration testing once per year. In the webinar, Offensive Security Operations: Penetration Testing of the Future, the CEO of a penetration testing company, Chris Dale, provided a thoughtful discussion on why organizations should purchase penetration testing services more frequently from third-party providers (2024). To support his claim, Dale argued the inherent value obtained from conducting an annual penetration test often expires when the final report is created, as any report produced can only look backwards. While most companies tend to conduct penetration testing annually to meet compliance requirements, Dale reasoned that any annual event is inherently infrequent to accurately gauge environment health. To Dale, the natural solution is to conduct penetration testing more often.

To his point, I agree with Dale; however, I have reservations that conducting regular penetration testing is the most appropriate solution to address the issue at hand. In my professional opinion, the main problem in focus is that security practitioners must juggle and retain awareness of how organizational changes, technical trends, and new vulnerabilities impact their organization’s threat landscape. With this awareness, security practitioners must effectively communicate how changes to the threat landscape impact the organization’s risk profile. While it is true that penetration tests allow practitioners to garner senior leadership support and enforcement for security initiatives, penetration testing is ultimately only one source of information--and any additional penetration testing reports purchased could only be used once to retroactively gauge environment health. Instead of conducting penetration testing more frequently, I believe organizations should implement continuous monitoring to retain awareness between annual penetration testing cycles to remain cost-effective yet secure.

In order to appropriately define the scope for a penetration test, Dale recommended for practitioners to perform a digital footprint assessment on their environments to map out their attack surface. Once the attack surface has been identified, Dale advised for practitioners to conduct both a risk assessment, and a vulnerability assessment, each for their own reasons. A risk assessment must be conducted in order to identify high-risk areas and align security resources appropriately (Dale). A vulnerability assessment, on the other hand, is conducted to separate exploitable vulnerabilities from hygienic issues that pose low risk (Dale). In addressing vulnerabilities, Dale advised security practitioners to understand the inherent limits within vulnerability management and remediation efforts. For most organizations, it is not practical to assume the goal of vulnerability management is to remove all vulnerabilities from the environment (Dale). Instead, the goal of vulnerability management should be to reduce the risk and impact from high-risk organizational processes to an acceptable level, in order to ensure continuous production operation and value creation for the organization (Dale). With this in mind, Dale ended his presentation by reminding security practitioners to think like an attacker and to prioritize remediating vulnerabilities that remain exploitable despite current controls. Once security practitioners have developed an understanding of their business requirements and the exploitable vulnerabilities present in their environments, Dale concluded that practitioners can begin to work offensively and remain prepared for future security challenges.

Resources cited:

Dale, C. (2024, November 11). Offensive Security Operations: Penetration Testing of the Future [Webinar]. 

SANS. https://www.sans.org/webcasts/offensive-security-operations-penetration-testing-future/