How To Conduct A Genuine Penetration Test

How To Conduct A Genuine Penetration Test

You are reading this article because you want to better understand the difference between a fake penetration test and a genuine penetration test.

First, what’s the big difference between a Penetration Test and a Vulnerability Assessment?

A Penetration Test validates the existance of vulnerabilities through exploitation and a Vulnerability Assessment does not. The biggest difference between a genuine Penetration Test and a Vulnerability Assessment is accuracy.
A Penetration Test by definition must produce a report that is free of false positives whereas a Vulnerability Assessment is expected to contain false positives.
This is because a Penetration Test is in fact a test designed to positivley identify the presence of points where something can make its way into or through something else.
A Vulnerability Assessment on the other hand is a best guess as to how susceptable something is to risk or harm. Clearly guessing allows room for error.
I’ve had Penetration Testing reports contain false positives so what does that mean?
That likely means that you did not receive a genuine Penetration Test. Instead you probably received the augmented product of an automated Vulnerability Scan.
Unfortunatley most vendors that offer Penetration Testing services are really only offering vulnerability scans that are vetted by an engineer. (Not real penetration tests) The methodology that they use is exceedingly poor quality, does not produce realistic levels of threat, and creates reports that contain false positives.
Here’s what their methodology looks like:
Most Common Industry “Penetration Testing” Methodology

  1. Ask you for your number of IP addresses and produce a quote based on this information only
  2. Run an automated vulnerability scanner
  3. Pass the results to an engineer / hacker / tester
  4. The engineer vets / validates or verifies the results (this is what most vendors call “Manual Testing”, but in reality its only vetting.)
  5. Produce the final report

A penetration testing company that offers genuine services should have no trouble offering you a No False Positives Guarantee
Many security vendors claim to offer you a guarantee and that their services will produce reports that are free of false positives, yet when you ask how they back up their guarantee you’ll find that they don’t really have a guarantee at all.
Every vendor you’re considering should offer you a rock solid guarantee. If they don’t, run away as fast as you can.
Example:
Here’s our 100% No-Risk Guarantee If we produce an Advanced Penetration Testing report that contains even a single false positive then we will redo the test again the following year free of charge. Our primary focus is to provide the highest quality service possible and this is why we offer our risk reversing guarantee to you.