Penetration testing, once considered a risky practice for the enterprise and
even a tool for evil hacking purposes, is becoming more of an accepted
mainstream process in the enterprise mainly due to compliance requirements, more
automated, user-friendly tools — and most recently, the imminent arrival of a
commercial offering based on the popular open-source Metasploit tool.
Rapid7’s purchase of the Metasploit Project last month and its hiring of the
renowned creator of Metasploit, HD Moore, demonstrate just how far penetration
testing has come during the past 18 months, security analysts say. While some
organizations still confuse penetration testing with the more pervasive
vulnerability scanning, which searches for and pinpoints specific
vulnerabilities and weaknesses, penetration testing is finally about to enter a
new phase of commercial deployment, experts say.
Penetration testing basically puts the tester in the shoes of a would-be
attacker, using exploits and attack combinations against a network or
application to find where the actual exploitable weaknesses lay.
"This is an exciting time because we’re starting see even the edgy [penetration
testing providers] look to the enterprise as a viable market," says Nick Selby,
managing director of Trident Risk Management, a Dallas-based security and
consultancy firm. "The technology is more mature so that the more experienced
and skilled penetration testers have better toolsets than ever…and the less
experienced ones can do more of the low-hanging fruit work."