Skip to main content
Security Scorecard

5 Reasons Why Penetration Testing Isn’t Enough

Miryam Meir
Posted on April 27th, 2020

The recent coronavirus pandemic has been a prolific period of change for the world over. As more and more employees are asked to work remotely, security testing is now more important than ever. Organizations can conduct specialized penetration tests to thoroughly evaluate the security of their systems. A pen test is, after all, the most commonly utilized of all software security best practices. But that may not be enough. However, conducting a penetration test during these current times is difficult with the massive transition from in-house teams to remote workers. While remote pen tests do exist and need to be conducted, on premise tests are not an option for many organizations. It’s critical for companies to vigilantly monitor their cyber risks to stay ahead of the game.

Here are five reasons why penetration testing cannot solve a software security issue by itself and how SecurityScorecard can fill in the gaps.

1. Infrequent testing

Many organizations conduct annual penetration tests. Afterward, they assume that the organization will be safe, that the test will find all vulnerabilities, and that a single pen test is enough.

However, infrequent pen testing gleans only a snapshot of your cyber defenses at the time the test was conducted. Cyber attackers will always be one step ahead of cybersecurity. It is crucial that a company is vigilant about continuously validating their defenses to guarantee that exposed weaknesses are fixed immediately.

2. A mishandled scenario

One crucial component to the effectiveness of a pen test is who does the testing. Sometimes, a “reformed hacker’s” only claim to being reformed is the fact that they told you that they learned from their past misconduct and severely changed their ways.

The disheartening truth of the matter is that a company cannot validate the results of a test that they don’t comprehend. If a reformed hacker turns out to be malevolent, your organization is in trouble.

For example, an organization hires a few reformed hackers. They think they’re fully reformed because they told them they were. The company gives the team one week to complete a pen test. On Friday afternoon, the reformed hackers have found seven faults in the system, but only inform the company about six of them. Of the known six, only three of the bugs are resolved. The other three – or was it four? – are put on the backburner. And the company is still clueless about one of them.

3. A failure to fix issues in a timely fashion

In order for pen tests to be effective, actions must be taken immediately after receiving the results. Companies that do not prioritize to remediate known vulnerabilities can experience costly data thefts.

Ongoing penetration tests should be conducted in order to ensure all of the identified complications have been fixed.

4. Asset diversity

Pen tests work efficiently when a company can generalize the results and apply them to all of their systems. For instance, an organization should test an operating system image that is deployed to all of their workstations to greatly reduce their attack surface.

However, some organizations, such as hospitals, don’t use a cohesive fleet of workstations. Clinical environments often contain a plethora of computing devices, from cheap sensors to million-dollar X-ray machines. If a hacker penetrates 100 unique devices out of 1,000, they’ve just accessed 10 percent of the hospital’s equipment.

5. Legacy devices

Not only do healthcare organizations have different kinds of devices, but they also have a myriad of vintages. This is also true of the old hardware found in many power plants, manufacturing companies controlled by computers running on MS-DOS, and outdated financial system.

Sadly, software doesn’t age the way wine does. If you pen test medical devices that are based on an old operating system, you’ll only find the vulnerabilities that affect those ones. If you run penetration tests on the newer models, you’ll miss the issues that afflict the old ones.

How SecurityScorecard can complement pen testing

Pen testing is important, but it’s not a panacea. SecurityScorecard’s intuitive security services can fill in the gaps by helping your organization stay abreast across 10 groups of risk factors before they can occur, including social engineering and network security.

Many clients use pen tests along with SecurityScorecard in order to identify not only current vulnerabilities, but also to identify assets that may have been looked over during the initial pen test due to the lack of knowledge about their existence. SecurityScorecard is able to mitigate the gap and helps them to identify potential threats that the penetration test failed to identify.

Return to Blog
Join us in making the world a safer place.