… Long live Penetration Testing!
A similarly juxtaposed phrase was used to announce the passing of a King and announce a new one. Cylidify believes that Penetration (or “Pen”) Testing has passed on as an encompassing term, but lives and thrives as a specific approach in a larger security methodology. We are pivoting to the term “Offensive” – the sport or combat definition as in “offense vs. defense” though parts of the other definitions apply via the necessary ethical approaches and rules of engagement. This term conveys that you are taking an approach designed to “score” against an someone or something assuming a defensive posture. The defenses are combinations of people with physical and logical constructs intending to defend an asset such as a site, intellectual property, data, keys, credentials, etc. Generally, defenses mitigate risk since prevention is not guaranteed and may be impossible (depending on the value of the assets). This pivot is mostly due to the confusion in the market and the issues this creates in engagements, but there are some other benefits to updating the terminology and clarifying the approaches.
Pen testing is still a high value Offensive Security (OffSec) approach, but implies a direct, “hands-on” testing approach designed to penetrate a perimeter or other defensive construct. The abstraction of perimeters in highly virtualized or public clouds (e.g. AWS and Azure) and the rise of aspirational Zero Trust paradigms are motivations for changes to terminology and approaches. Another motivation is the fact that offensive approaches are applied at any phase in a development life cycle – from the more static architecture and design (e.g. Threat Modeling) through to the more traditional, later stage dynamic approaches (like penetration testing) applied in the context of operational deployments. Cylidify advocates that “earlier is always better” for security (and privacy), but there are some offensive approaches that just don’t work statically. And, for most dynamic approaches, the earlier, or further the target is away from “production representative”, the lower the value (see our previous post on Penetration Testing).
We also lean to the term “analysis” instead of “testing” since OffSec engagements aren’t always limited to direct testing. These are tailored engagements that also include analysis of policy and processes as well as practices like modeling (i.e. Threat Modeling) and simulations including dry-runs of incident response plans or general table-top exercises. Simulations are also increasing in value in their baseline exercises of “red vs. blue” teaming, red == offense and sometimes the teams merge into a “purple” team, or “capture the flag” where the flag is a specific asset or foothold in an environment or system. There is also the more theoretical or “proof of concept” analysis that extends modeling, simulation, or direct testing. For example, once an attacker has a foothold and elevated permissions in an environment, is it possible for them to defeat the encryption or containers defending the assets? [This can be either before or after the asset ex-filtration noting that it’s popular now to attack the assets in place by encrypting and ransoming the access.]
Cylidify offers direct OffSec capabilities, but we also do referrals and brokering in our partner network. We can manage any engagement including defining a scope and approach to fit your specific needs and deliver real value – please contact us to learn more.
Comments