Penetration testing is a security process carried out to detect and examine security vulnerabilities and weak points of an institution's systems, networks or applications within a certain scope. This process is carried out using similar techniques and methods from an aggressive perspective within ethical rules. There are many problems and difficulties that may be encountered in this process. Some of these challenges are discussed below, along with suggested solutions;
Current Technology, Knowledge and Skills:
Current technology, knowledge and skills are one of the important challenges encountered in penetration testing processes. Cyber attacks are attacks that are not stagnant and are constantly changing. Attackers constantly develop new technologies and new techniques to bypass security measures. Penetration testers need to constantly stay up to date on current threats and attack techniques. Current information and technologies should be prioritized in the scenarios created during the penetration testing processes of institutions. This requires continuous education and research.
Time Constraint / Qualified Personnel:
One of the most important decisions to make when starting project development is to determine a deadline. Parameters such as how long it will take to complete a task, such as completing certain features, also need to be considered. While planning the penetration test, since planning is done on a personnel/day basis, attention should be paid to the stage of determining the competence and working hours of the personnel who will perform the test, in order to avoid problems with the institution receiving the test service in terms of time planning. Another main problem of the sector is that it is difficult to find qualified experts who are trained in the sector and can use their time in the most efficient way. Increasing cybersecurity-related training in the education system and prioritizing technical training can play an active role in reducing this problem.
Obstacles of Security Products:
Security products on target systems are used by penetration testers to try to prevent attacks. This can make it difficult for penetration testers to test their abilities and bypass security measures. Security equipment used in target systems may have features intended to detect penetration testers or prevent their tests. Dealing with such devices and testing effectively can be a challenge for experts. At this point, it is important that the experts who will perform the test know the security products used and have knowledge in order to avoid problems. Entering the necessary exceptions for security products in white box penetration testing processes ensures that the process progresses more smoothly and quickly.
Lack of Current Inventory List of Institutions:
Not knowing the exact inventory due to turnover in most institutions due to changes in personnel, not using appropriate products to keep the inventory, and not following a certain procedure to add a new product or new device to the inventory when a new product or new device is used, makes the work of the experts who will perform the penetration test difficult. In order to avoid this problem, institutions' awareness on this issue should be increased. Before starting the penetration test, make sure that the inventory list is comprehensive.
Complexity of Target Systems:
Large and complex networks or applications may cause penetration testers to spend more time and resources. This makes it more difficult to thoroughly test all surfaces of the systems. In order to comprehensively examine all attack surfaces of these systems, the structure must be thoroughly understood and sufficient time must be given.
False Positives and False Negatives:
Penetration testing tools can produce false positive (false alarm) or false negative (missing a real threat) results in real-world conditions. Therefore, penetration testers need to carefully consider the results when using these tools.
As a result, the main source of difficulties in penetration testing processes is incomplete planning and incomplete information. As a result of institutions making the necessary planning by taking these issues into consideration, the main difficulties are overcome and more efficient results are achieved.
