Next Level Pentesting: Why the classic pentest approach is reaching its limits

25. February 2021

For more than 25 years, we have been helping companies achieve more security and monitoring developments and trends. In this interview with Matthias Göhring, Head of usd HeroLab and Sebastian Puttkammer, usd Managing Consultant IT Security and Head of HeroLab Tools, we talk about why classic approaches in the field of penetration testing no longer do justice to increasingly complex environments and what future-proof solutions look like.

What do you understand by the classic pentest approach?

Matthias Göhring: “Classic pentests, as they are conducted by companies today, are a black box for customers. There is a lack of overarching standardization in the way they are carried out: test depth, test coverage and scope vary from provider to provider, but are impossible to compare. In addition, the results reports only include identified vulnerabilities and the tests that do not result in a vulnerability are usually not documented.”

Why is this transparency in the testing process important?

Sebastian Puttkammer: “Without transparency and standardization, it always remains unclear to the customer as to what has been tested during the pentest. Since pentests are carried out across different industries, the requirements for execution and documentation also vary. There are already security standards that stipulate the traceability of the test steps performed. It is not possible to map these adequately with the approaches used to date. In addition, with the classic pentest, customer-specific requirements cannot be mapped in most cases.”

How do you plan to solve the problems you’ve highlighted?

SP: “We have really taken our penetration testing to the next level in terms of transparency and standardization per pentest category in recent years. We laid the foundation for this with our toolchain. It allows us a high degree of automation, which goes hand in hand with comparability, reproducibility and efficiency. This gives our pentesters more time for targeted and manual testing, which increases the quality of the analyses by, among other things, testing more for logic errors.”

MG: “In addition, we can integrate customer-specific requirements more easily with the help of the toolchain. Thanks to the complete and transparent documentation, the individual test steps are comprehensible for our customers. Especially since we also record the test steps in the report where no vulnerabilities were identified. An important requirement from the customer’s point of view.”

In which way will the HeroLab toolchain be further developed?

MG: “Our know-how and experience are constantly being incorporated into the further development of our tool landscape, resulting in ingenious synergy effects: For example, we are increasingly discovering so-called zero days and, through Responsible Disclosure, are supporting software providers in closing critical gateways for hackers in a timely manner. Thanks to our tool landscape, we are also creating a constantly optimized training environment for our internal training program, the “usd HeroLab Certified Professional”. This guarantees that our analysts always perform their security checks at the highest level. And we still have a lot up our sleeve for the future!”

Learn more about the usd HeroLab toolchain and how it supports our customers and security analysts on the path to more security in our English-language webinar “Next Level Pentesting” on March 18th 2021.

news usdWebinar

Also interesting:

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for...