Limitations of Penetration Testing
Penetration testing are useful practices that can help make an organization’s security tighten. But penetration testing do have limitations which can be a project-based limitation or the penetration testers skills themselves.
Limitations of Penetration Testing
Penetration testing cannot find all vulnerabilities in a target environment.
There are limitations based on the resources and restrictions of a test:
– Limitations of scope
– Limitations of time
– Limitations on access of penetration testers
– Limitations on methods of penetration testers
Additional limitations are connected with the penetration testing team and their pen tests tools arsenal:
-Limitations of skills of penetration testers
-Limitations of imaginations of penetration testers
-Limitations of known exploits
-Most of penetration testers do not write their own exploits
Although penetration testing are beneficial practices, they do have some significant limitations worthy of analysis. Several of these limitations are associated with the nature of testing projects themselves, with finite resources and a targeted scope. First off, testing projects by their very nature have a limited range. Most organizations do not and can not test everything, because of resource constraints. Penetration testers test those elements of the client’s infrastructure that are deemed most vital. But, a real-world attacker may find flaws in other areas that simply weren’t part of the penetration testing project’s scope. Another related limitation is time. Professional penetration testers are allotted a certain amount of project time for a test. Attackers often have far more time to work on their attack, planning it out over months or years, when most penetration testing processes just last for days, weeks, or, at most, a few months.
Furthermore, penetration testers often have restricted access to the target environment that models where some, but not all, of the bad guys sit. For example, an organization may have a penetration test carried out against its DMZ systems from across the internet, modeling what attackers sitting anywhere in the world would see if they attacked through the normal internet gateway. However, such a test won’t detect vulnerabilities associated with local wireless access points, or attacks that could be used by malicious insiders currently on the internal network.
And because of the possibility of crashing a target system during a penetration test, some particular attack methods will likely be off the table for a professional penetration tester. For example, creating a denial of service flood to distract a system or network administrator from another attack method would be an ideal tactic for a real bad guy, but will likely fall outside of the rules of engagement for the majority of professional penetration testers.
Also in addtion to the limitations of project-focused tests, penetration testers have limitations associated with the testing team itself. Professional penetration testers are limited in that they have a finite-skill set. Even very skilled penetration testers have their limits, focusing on particular technologies and having less expertise in others. A malicious attacker with a different skill set might hit just the right areas of expertise to discover flaws too subtle for testers with a significant but different skill set to find. Furthermore, testing regimens are limited by the imagination of the testers themselves. Some of the best attackers are incredibly creative, using vulnerabilities in ways that many penetration testers might not even consider.
Lastly, most professional penetration testing is limited by the current known exploits available publicly. Most penetration testers do not write their own exploits, but rather rely on exploits written by others. Even for those pen testers who do write exploits, often there is not enough time to create a custom exploit for a newly discovered flaw in a given target environment. The resources of a test project are finite, and creating custom exploit code could easily use up a great deal of the overall project’s budget or time. So, unless the project has a specifically huge budget, the client has specified a very narrow focus, or a given exploit for a flaw can be applied to several target organizations in numerous tests, custom exploit development during a penetration test is very uncommon.
These limitations can be overcomed by having a highly skilled and experienced set of penetration testers.
Incoming search terms:
- limitation of penetration test
- Limitations of Penetration Testing
- disadvantages of penetration testing
- limitation of penetration testing
- penetration testing limitations