It is hard to appreciate security until it works just fine. When it goes wrong, though, it goes very wrong usually. Recent Yahoo theft of over half a million credentials is just one case which got publicity. Incidents like that happen on a daily basis, and it is a clear indication of the security professionals not doing their job properly. Whereas there is no protection against a botnet-induced DDOS attack, data theft is inexcusable, not just for major companies. Data theft on a massive scale is done either through known vulnerabilities or through social engineering, both of which are addressable issues. Vulnerabilities can be patched, and social engineering resistance can be trained. Security is not where one should cut corners because online, it can swiftly break one’s business. Once a security breach happens, people will be very reluctant to use that site again, especially nowadays where every site requires that their member register or leave another form of personal data. After all, would you entrust your sensitive data to someone that just got robbed quickly?
Penetration testing services aim to help with the security. You hire a hacker to break into your site in whatever way possible. He would use the same techniques as every hacker would. However, instead of causing damage, he would document his steps, compile a report and then give that report to you. With the report in hand, you’d know what exactly is wrong with your site, and you’d be able to patch these issues, so that next time around when a hacker decides to attack you, he’ll find that most methods no longer work on your site. You prepared, you battered down the hatches, and your data is safe. The only thing they can do is either attack you personally with a Trojan horse and steal administration passwords or bring down the site with DDOS attacks. However, most hackers will give up and move to the next target before bothering to use the big guns. That is unless you have a personal issue with a hacker. In that case, standard rules no longer apply.
The main issue with penetration test services is that they are downright too expensive, so people are reluctant to use them. The fact that you need to perform a test regularly and also each time you do a major update/upgrade to your site doesn’t help one little bit. People would often resort to purchasing penetration testing software. Their logic is that they would rather pay a higher price for the software and then they would be settled for life, they wouldn’t have to pay the expensive fee for testing never again. That is very, very wrong. Penetration testing software, regardless of how advanced, is just a tool for the hacker. It’s not even the single tool, as the hacker uses a myriad of different tools for each job. Owning the software doesn’t guarantee a successful penetration test unless the person using it has extensive knowledge in security. It is due to no software is perfect, and every tool can create something called “false-positives” which are threats that do not exist. Good software can create hundreds of them, less expensive software can create thousands. These false-positives clutter and obscure the real threats. A programmer would then need to go through every incident and find out whether it is real or not, and for the average developer, it is a lot harder than it is for a hacker. The hacker can spot a false-positive at a glance, whereas the programmer will spend days hunting the vulnerability down just to find out that it never existed.
Why is this wrong and dangerous?
By the time the programmer checks each vulnerability; your bill will be so high that you could’ve purchased several substantial penetration tests with the same money. Also, by the time all vulnerabilities are checked, an attack could already happen. Fixing the vulnerabilities afterward would be too late.
These are just among the many issues with buying a penetration test software without having prior knowledge in testing. The case is the same with every area – having the tools doesn’t make one a professional, just like owning a hammer and some nails doesn’t make one a carpenter.
Penetration testing is a fundamental part of owning a website, so it has to be done right. Otherwise, the entire investment in the site can swiftly go down the drain.