Next Level Pentesting: Why the classic pentest approach is reaching its limits

25. February 2021

For more than 25 years, we have been helping companies achieve more security and monitoring developments and trends. In this interview with Matthias Göhring, Head of usd HeroLab and Sebastian Puttkammer, usd Managing Consultant IT Security and Head of HeroLab Tools, we talk about why classic approaches in the field of penetration testing no longer do justice to increasingly complex environments and what future-proof solutions look like.

What do you understand by the classic pentest approach?

Matthias Göhring: “Classic pentests, as they are conducted by companies today, are a black box for customers. There is a lack of overarching standardization in the way they are carried out: test depth, test coverage and scope vary from provider to provider, but are impossible to compare. In addition, the results reports only include identified vulnerabilities and the tests that do not result in a vulnerability are usually not documented.”

Why is this transparency in the testing process important?

Sebastian Puttkammer: “Without transparency and standardization, it always remains unclear to the customer as to what has been tested during the pentest. Since pentests are carried out across different industries, the requirements for execution and documentation also vary. There are already security standards that stipulate the traceability of the test steps performed. It is not possible to map these adequately with the approaches used to date. In addition, with the classic pentest, customer-specific requirements cannot be mapped in most cases.”

How do you plan to solve the problems you’ve highlighted?

SP: “We have really taken our penetration testing to the next level in terms of transparency and standardization per pentest category in recent years. We laid the foundation for this with our toolchain. It allows us a high degree of automation, which goes hand in hand with comparability, reproducibility and efficiency. This gives our pentesters more time for targeted and manual testing, which increases the quality of the analyses by, among other things, testing more for logic errors.”

MG: “In addition, we can integrate customer-specific requirements more easily with the help of the toolchain. Thanks to the complete and transparent documentation, the individual test steps are comprehensible for our customers. Especially since we also record the test steps in the report where no vulnerabilities were identified. An important requirement from the customer’s point of view.”

In which way will the HeroLab toolchain be further developed?

MG: “Our know-how and experience are constantly being incorporated into the further development of our tool landscape, resulting in ingenious synergy effects: For example, we are increasingly discovering so-called zero days and, through Responsible Disclosure, are supporting software providers in closing critical gateways for hackers in a timely manner. Thanks to our tool landscape, we are also creating a constantly optimized training environment for our internal training program, the “usd HeroLab Certified Professional”. This guarantees that our analysts always perform their security checks at the highest level. And we still have a lot up our sleeve for the future!”


Learn more about the usd HeroLab toolchain and how it supports our customers and security analysts on the path to more security in our English-language webinar “Next Level Pentesting” on March 18th 2021.

Also interesting:

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an...

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

In the dynamic field of cybersecurity, it is often the obscure and long-forgotten vulnerabilities that pose a hidden threat to otherwise hardened systems. One such vulnerability lies in invalid character encodings that violate the UTF-8 standard. While overlong UTF-8...

Categories

Categories