Penetration testing is a fundamental asset for enterprise security. It’s the thing that allows businesses to test their own environments and catch their vulnerabilities, loopholes, and gaps before cybercriminals do.

Penetration testing grew out of the U.S. defence establishment of the 1960s. As some of the foremost pioneers of connected technologies, organisations like the Department of Defense (DoD) were compelled to examine how, under the right conditions, their computer systems could be attacked by a hostile force.

As connected computing technology spread out into the wider world and security became a primary concern, so too did the tools and techniques of penetration testing, or “ethical hacking,” become more widely used.

Many companies now conduct periodic assessments of their own security so that they can spot, fix, and patch any vulnerabilities that might come up. In fact, they’re often forced to do so by a variety of business considerations or compliance demands.

But penetration testing – as it is currently carried out – cannot, on its own, effectively test the security or operational needs of a modern organisation. Penetration tests are meant to simulate real attacks – but for a variety of reasons – they can’t.

Pace of Change

The digital enterprise is changing fast. Demands for new digital functionality, and the software to make it happen, are rising quickly. As environments change every minute of every hour of every day, penetration tests often only capture one moment of its constant transformation. Countless new gaps or vulnerabilities may open up in those environments, but organisations relying solely on penetration testing may not know that until they actually carry out another test.

That leaves weeks, months or even years before an organisation might spot their own vulnerabilities. While ethical hackers are waiting to carry out their scheduled tests, malicious hackers are constantly probing networks to find a gap they can exploit. They can quickly adapt to changes and exploit openings as soon as they’re spotted. Meanwhile, organisations may not be able to spot them until it’s already too late.

While ethical hackers are waiting to carry out their scheduled tests, malicious hackers are constantly probing networks to find a gap they can exploit.

Scope and Scale

Another fundamental problem is that penetration tests often cannot scale to test the true scope of client environments.

First of all, these tests are often performed manually which can make them both expensive and time consuming. It also makes it difficult to actually test the hundreds or thousands of assets that a client possesses.

Furthermore, many penetration tests tend to focus on certain areas while neglecting others. For example, many will focus on high profile risks while neglecting the smaller issues that might exist throughout the environment.

Many penetration tests overemphasise the network layer and neglect the application layer. Unfortunately, the reality is that applications are one of the most exploited vectors. One Forrester survey found that 39% of external attacks in 2020 targeted web applications. Sometimes, companies will even ask their ethical hackers to limit the scope of their tests.

While penetration tests often have to test within limits, attackers know no such limitations. When ethical hackers have to mitigate their tests - whether because of material limitations or client direction - tests fail to provide true value and vulnerabilities go undiscovered and are waiting to be exploited by real attackers.

Vulnerability scans can only test what they have been programmed to test and often produce false positives which then have to be manually verified.

Vulnerability Scanning fills in the missing piece

This leads us to conclude that penetration tests are a necessary but ultimately insufficient means to catch all the vulnerabilities a rapidly changing digital environment might contain. In a sense, they’re not supposed to. Penetration tests use the manual expertise and creativity of ethical hackers to find the problems - such as business logic vulnerabilities or zero-days - that only human ingenuity can find. But on their own, they’re not enough.

Testing needs to be a thorough and continuous aspect of everyday operations. Vulnerability scanning holds many of the pieces that penetration testing lacks. These scans will comb an organisation's digital infrastructure to find vulnerabilities wherever they lie and crucially, can scale out to accommodate environments of any size, a capability which traditional penetration testing lacks. These scans can be automated and carried out regularly at little cost, making them easy to integrate into the everyday operations of an organisation.

However, one must be aware that they can’t provide the creativity of an attacker's perspective. Vulnerability scans can only test what they have been programmed to test and often produce false positives which then have to be manually verified.

In the end, as both assets are valuable in their own way and can’t replace each other, vulnerability scanning’s ability to automate and scale must be integrated with penetration testing’s ability to exploit vulnerabilities in the way a malicious actor would. With the addition of automatic exploitation, vulnerability scanners won’t just find known vulnerabilities within a system but will actively try to exploit them, just like a penetration tester would.

With that, testing and scanning can be automated and seamlessly embedded into the Software Development Life Cycle (SDLC), which is often slowed down by traditional testing requirements but still needs to be constantly reviewed to see if developing applications are introducing new security risks.

Penetration testing does indeed fall short of a number areas in evaluating an organisation’s security, but still offers indispensable value that no tool can provide. However, vulnerability scanning tools at the cutting edge of the industry can, with the addition of automatic exploitation, fill in the gaps that it leaves, thus borrowing one of penetration testing’s key assets while providing the ability to automate, scale, and consistently scan all of an organisation's assets, wherever they lie.