Sunday, 14 April 2013

Testing is more than running a tool

There many uses of testing tools.

There are indeed many benefits as well.

In using automated tools the tester can reduce the effort required to do repetitive tasks. More importantly with many of these simple or repetitive tasks the correct implementation of the tool can actually improve the consistency of the results. This helps provide a standardized testing metric as well.

The problem is that we often have unrealistic expectations of what we can achieve using a tool. Testing tools are no substitute for individual experience. What is required is to use experienced professionals who can improve the economic efficiency of what they are doing using tools. Penetration testing is no different to any other form of information technology testing. What a tool provides is a way to remove these simple repetitive task from the requirements of the tester to run manually. Basically, we want the tester to leverage their expertise as much as possible.

Without due consideration of the following points, the introduction of tools and the use of these in a penetration test can often end up being an expensive waste of time.:

  • a solid understanding of the system being tested,
  • the types of vulnerabilities and how to exploit them,
  • the processes and especially the business processes involved and the relationship between the various systems.

What is required is the development of a rigorous process that incorporates automated tools when necessary to minimize the time but which is founded on manual processes and experience. The reliance on tools takes away from the required level of skill in this type of test. In fact, a poorly thought-out process based on the use of a sophisticated tool alone will really provide good results.

No comments: