Penetration testing solutions vary widely in their ability to meet an organization’s unique security testing needs. During the evaluation process, you should consider all the available product features across a range of important categories:
Ease of Use
All testing operations should be able to be conducted via a single, intuitive, visual interface that offers high ease-of-use, and includes the ability to conduct and garner data from a wide range of potential tests.
Transparency and Customization
The penetration testing solution and process must be fully transparent, allowing you to view and edit all included exploits and understand the scope of the testing being carried out. You should also be able to include your own exploits in the product’s automated testing process if so desired, and run them manually for more customized testing of unique environments.
Integration with Other Security Products
Any commercial-grade solution should be able to integrate effectively with other security products, in particular vulnerability assessment and scanning systems, along with security management applications, patch management tools, compliance management platforms, and security information and event management products (SIM/SEM).
Currency, Relevancy and Effectiveness of Exploits
Leading penetration testing solutions vendors can provide deep libraries of relevant, timely and thoroughly tested exploits for both well-known and newly-discovered vulnerabilities, allowing you to actively assess your exposure to the broadest range of threats while maintaining the integrity of your network and applications throughout the testing process. All onboard exploits should be immediately usable out of the box and optimized for multiple platforms and attack vectors, without requiring coding or customization.
By effectively gathering relevant system security information, including OS and services data, IP address and e-mail domain information, and web application and browser details, a penetration testing solution must be able to determine which vulnerabilities are present and any exploits that may be applicable to those weaknesses. Leading products will allow you to browse file structures and view file contents on compromised networks, endpoint machines and applications – and enable you to see how vulnerabilities present across such assets can be used in concert, clearly exposing any at-risk information assets. You should also be able to open shells to gather further information about compromised machines, such as which networks or applications they are connected to, and be able to advance exploits via privilege escalation, or pivoting, just as a real-world attacker would.
Attack and Penetration
The most efficient penetration testing software solutions on the market today allow you to launch multiple, simultaneous attacks across various systems to speed the overall testing process. Once any systems are compromised, exploits should then be run locally so that machines are attacked internally, rather than from across the network. In addition, advanced users should be able to run the product manually, with full control over which exploits are applied to which systems.
After revealing network information about a compromised system or application, penetration testing solutions should enable you to launch attacks on other machines, applications or users residing on the same network, without having to upload code (i.e., an attack tool) to each compromised machine to do so. Products that possess this “pivoting” capability allow you to penetrate deeper into back-end systems with higher levels of security and thereby understand the real threat represented by any particular vulnerability, or group of vulnerabilities.
A commercial-grade penetration testing solution should not install modules or tools on compromised systems and applications or alter them in any way. Once the penetration test is complete, the product should automatically remove all traces of the testing process immediately.
The effectiveness of a penetration testing solution is ultimately defined by the quality and breath of its reporting capabilities. Reports must be clear and easy to understand, with options to present relevant, actionable results data to different types of readers. For instance, while a manager might require an overview of risks and solutions that isn’t heavy with technical details, a system administrator would need a specific list of vulnerabilities to address. A CIO or CISO might seek out a mix of high-level and technical reports data. In addition, full activity audits should be available for distribution to both internal and third-party compliance assessors and report content should be exportable to popular applications for analysis, aggregation and customization.
Implementation and Training
A penetration testing solution should offer a simple, fast installation process that is not dependent on high levels of customization or vendor services to prove successful. Training demands ought to be minimal in terms of the time needed to get testing underway, should not require highly technical skills.
A full complement of vendor-provided professional penetration testing services should be available to help you meet specific compliance demands for third-party testing, or to simply obtain deeper levels of technical analysis and remediation assistance.
Established penetration testing solution vendors should have a proven track record of providing information security products and services to a wide range of organizations. Look for a company that openly collaborates with other security product vendors and service providers to share and expand its expertise and cover the broadest range of vulnerabilities and systems possible. Published research and technical articles, security advisories and any memberships on security standards advisory boards can also serve to help you measure a vendor’s credentials and expertise. In addition, you should make sure that all of a solutions vendor’s employees have undergone documented background checks for increased reliability and security.
Leading vendors offer regular access to a highly knowledgeable customer support team with extensive, hands-on penetration testing experience that adds tangible value to their product knowledge and troubleshooting skills.