At the time it was first introduced, a penetration test accurately represented how an attacker was likely to target a network.
Today, that is no longer the case. As digital networks and business processes have evolved, so too have their security needs.
The first generation of penetration testing was designed to assess much simpler networks than those today. They lacked the complexity and scale of modern environments, with minimal traversal required for an attacker to move from the breach of a network’s perimeter to the point of being able to perform a malicious action. With fewer assets to protect and shallower networks to contend with, safeguarding against the exploitation of vulnerabilities was fundamental to preventing an attacker from achieving their goal.
Over time, vulnerability-centric security audit procedures have become the norm, and the focus on vulnerabilities has increased further with the second generation of penetration testing.
Networks today are much larger in size and scale, are much more diverse in terms of technologies implemented and the complexity of the assets, and are subject to more frequent development. The continued evolution of digital systems and technologies has created an infinite funnel of vulnerabilities to identify, manage, and remediate at an ever-increasing velocity. Over time this has created more work for less reward in terms of the security value of activities performed.
This means that vulnerability exploitation is no longer as critical to an attacker as it once was. Despite these changes, the second generation of penetration testing has continued to focus on the identification and remediation of vulnerabilities.
In reality, it is impossible to economically identify and remediate every vulnerability in a timely manner. Penetration testing’s continued focus on vulnerability management means that it no longer meets its original goal – to prevent an attacker from performing actions that are likely to cause harm to the business.