310 Core Software Security
to deliver quality results. Alan Paller once casually suggested to one of the
authors that there were not more than 1500 skilled penetration testers
extant. We don’t know the actual number, but there are not enough
highly skilled penetration testers to deliver all the work that is needed.
This situation will probably be true for some time. Due to the scarcity,
we suggest that attack and penetration testing be reserved for critical com-
ponents, and major releases that are expected to be under severe attack.
If your organization has sufficient attack and penetration resources,
the skilled human element is the strongest testing capability in security.
Everything that can be tested probably should be tested. However, we
have seen too many findings reports where the tester did not have this
kind of skill, did not take time to understand the target of the test, ran
the default tests, and reported hundreds of vulnerabilities. These sorts of
tests help no one. Development teams may look at the first few vulner-
abilities, declare them false positive, and stop looking. This is a classic,
typical response to a report filled with possible vulnerabilities rather than
real issues. Generally, in these cases, the attack test was not tuned and
configured to the target, and perhaps the target was not properly config-
ured as it would be when deployed. In our experience, this is a big waste
of everyone’s time.
Instead, focus your highly skilled resources or dollars on the most wor-
thy targets. Critical code that must not fail can benefit greatly from an
A&P test. And a strong return on investment can be made before major
releases or after major revisions. This is where we suggest the most benefit
can be gained from skilled attack and penetration testing.
Because an attack and penetration test can take considerable time to
complete, the rate of code change must be considered when applying
this intensive type of test. If the rate of change (update) is faster than the
length of time to test the system, vulnerabilities may be introduced before
the test even completes. These two factors must be weighed in order to
get the most useful results. Generally, even if updating occurs every day,
these will not be major releases, and certainly not major revisions. Hence,
testing at the larger code inflections can be a better investment.
What is critical code? We have seen numerous definitions of “critical”:
• The highest-revenue system
• The most attacked system
• The largest system