Evaluating Your Security Controls? Be Sure to Ask the Right Questions
Testing security controls is the only way to know if they are truly defending your organization. With many different testing frameworks and tools to choose from, you have lots of options. But what do you specifically want to know? And how are the findings relevant to the threat landscape you face at this moment?
Security teams typically use several different testing tools to evaluate infrastructure. According to SANS, 69.9% of security teams use vendor-provided testing tools, 60.2% use pen-testing tools, and 59.7% use homegrown tools and scripts.
While vendor-provided tools test a specific security solution—whether it’s a web application firewall (WAF), EDR solution, or something else—pen testing is frequently used to verify that controls meet compliance requirements, such as PCI DSS regulations, and by red teams as part of broader testing assessments and exercises.
Automated pen tests help answer the question, “can an attacker get in?” They can help identify vulnerable or high-risk pathways into an environment, but they usually don’t cover the entire kill chain. They can emulate multiple threat actor techniques and even different payloads, but they typically don’t replicate and fully automate the full Tactics, Techniques, and Procedures (TTPs) of a real threat actor.
Automated pen tests rely on skilled human pen testers with varying levels of expertise, making it difficult to gain consistent data over time. The sheer variety of pen-testing tools and approaches can actually complicate testing. For example, different attack vectors require different testing tools. These tools also tend to be weak at recognizing vulnerabilities in business logic, which can skew results.
Read more at the Hacker News
