finger pointing at virtual screen
Wright Studio/

Penetration testing measures the effectiveness of your cybersecurity defensive measures. And remember, their effectiveness changes over time, so repeat as necessary. There’s nothing fit and forget in the world of cybersecurity.

The Vulnerability-Go-Round

All non-trivial software has bugs. And there’s software everywhere you look on your network, so the sad truth is, your network is full of bugs. Not all of those bugs will result in a vulnerability, but some will. And if just one of those vulnerabilities is exploited by threat actors, your network is compromised.

Operating systems, software applications, and device firmware are all forms of software. It’s obvious that servers and network endpoints will run operating systems and applications. The items that are often overlooked are other network appliances such as firewalls, routers, wireless access points, and switches. These all contain firmware at least, and often, an embedded operating system, too. Other devices, such as Internet-of-Things devices, and other smart devices also have firmware, an embedded operating system, and some application code in them.

As vulnerabilities are discovered, responsible providers release security patches. These contain bug fixes for the known bugs, which close off the known vulnerabilities. But that won’t—without a stroke of very good luck—do anything to rectify any unknown vulnerabilities.

Suppose that a piece of software has three vulnerabilities. Two of them are discovered and a security patch is released to address them. The third vulnerability, as yet undiscovered, is still in the software. Sooner or later, that vulnerability will be discovered. If it’s discovered by cybercriminals, they can exploit that vulnerability in all systems running that version of the software until a patch is released by the manufacturer and the end-users apply that patch.

Ironically, new vulnerabilities can be introduced by patches, updates, and upgrades. And not all vulnerabilities are due to bugs. Some are due to terrible design decisions, such as the IoT Wi-Fi-enabled CCTV cameras that didn’t permit users to change the admin password. So it’s impossible to say that your systems are free from vulnerabilities. But that doesn’t mean that you shouldn’t do what you can to make sure that they’re free from known vulnerabilities.

Penetration Testing and Vulnerability Testing

A penetration test is actually a large suite of tests designed to evaluate the security of your externally facing IT assets. Specialist software is used to methodically identify any exploitable vulnerabilities. It does this by performing numerous benign attacks on your defenses. A test run can include hundreds of different scheduled tests.

Vulnerability testing is a similar type of scan, but it’s performed inside your network. It looks for the same type of vulnerabilities as penetration testing and checks that operating system versions are current and still supported by the manufacturer. Vulnerability testing identifies the vulnerabilities that a threat actor or malware could exploit if either one gained access to your network.

The reports generated by these tests can be overwhelming at first glance. Each vulnerability is described and their Common Vulnerabilities and Exposures number is given. This can be used to look up the vulnerability in one of the online vulnerability indexes. Even modest networks can generate reports running into many tens of pages. For medium-sized networks, the reports can be measured in hundreds of pages.

Thankfully, the vulnerabilities are ranked according to their severity. Obviously, you need to address the highest priority—that is, the most severe—vulnerabilities first, and then the second-highest priority ones, and so on. The lowest-grade vulnerabilities are technically vulnerabilities but are of such low risk that they’re considered more of an advisory than a compulsory item to rectify.

Sometimes, correcting one vulnerability will clear off whole swathes of issues. An expired or self-signed TLS/SSL certificate can generate a long list of vulnerabilities. But correcting that one issue will address all of the related vulnerabilities in one fell swoop.

RELATED: How Do SSL Certificates Secure the Web?

The Benefits of Penetration Testing

The most important benefit that a penetration test provides is knowledge. The report allows you to understand and rectify the known vulnerabilities that are present in your IT assets, network, and websites. The prioritized list tells you clearly which vulnerabilities to address immediately, which to tackle next, and so on. It ensures that your efforts are always directed to the most severe remaining vulnerabilities. It will certainly identify risks that you didn’t know you had, but it will also—albeit through negative evidence—show you the areas that are already tightly secured.

Some penetration-testing software can identify vulnerabilities due to misconfiguration issues or poor cybersecurity hygiene, such as conflicting firewall rules or default passwords. These are easy, fast, low-cost fixes that immediately improve your cyber posture.

Anything that improves the effectiveness of your cybersecurity protects your most sensitive data and works in favor of your business continuity. And of course, preventing breaches and other security incidents also helps you avoid data protection fines or lawsuits from data subjects.

Knowing where your weak points were—and what they were—can help you plan and build a road map for your defensive strategy. This enables you to budget for and prioritize your security expenditure. It also allows you to spot holes in your policy procedures or areas where they’re not being upheld.

If your patching strategy is being adhered to, security patches and bug fixes should be applied in a timely fashion once they’ve been released by the manufacturer. Maintaining that discipline will keep your operating systems, applications, and firmware from falling behind.

If your organization operates to a standard such as the Payment Card Industry Data Security Standard (PCI-DSS) or ISO/EUC 27001, penetration testing will probably be a mandatory step for compliance. Cyber liability insurance providers might require you to conduct penetration before they offer you a policy, or they might offer a reduced premium if you regularly perform penetration testing.

Increasingly, both prospective and existing customers are asking to see the results of a recent penetration test report as part of their due diligence. A prospective customer has to satisfy themselves that you take security seriously before they can entrust you with any of their data. Existing customers must also satisfy themselves that their current providers are taking the necessary cybersecurity precautions to prevent themselves from falling afoul of a supply-chain attack.

It Isn’t a One-Time Thing

You’re not going to want the results of your first penetration test to go outside of your organization. Do your first round of testing, execute the remedial work, and then re-test. That second set of testing should provide your working baseline and a set of results that you’d be willing to share with outside parties.

Penetration needs to be repeated at least annually. A six-month cycle is a good fit for most organizations.

Profile Photo for Dave McKay Dave McKay
Dave McKay first used computers when punched paper tape was in vogue, and he has been programming ever since. After over 30 years in the IT industry, he is now a full-time technology journalist. During his career, he has worked as a freelance programmer, manager of an international software development team, an IT services project manager, and, most recently, as a Data Protection Officer. His writing has been published by,,, and Dave is a Linux evangelist and open source advocate.
Read Full Bio »