Penetration testing: Tools are sometimes wrong.

Penetration testing: Tools are sometimes wrong.

In this imperfect world, everything can go wrong. This includes the tools we use to perform penetration testing. No matter what tools you use – the newest, the fanciest, or the most expensive one – there will always be a chance that these tools report false positive or false negative.

False positive means that the penetration testing report a vulnerability holes while it does not exist, while false negative shows a clean report when there is a vulnerability issue in our systems. These two false alarms almost always appear on every penetration testing.

For these reasons, it is important to remember that automated test is not enough. Manual penetration testing should be added in order to double check the given results. The penetration testing team has to verify the automated result and more important, to provide the solution for the existing and possible vulnerability problems.

In fact, it is wise for penetration testing team to perform manual penetration testing that start by determining the scope of the project. Next step is to conduct focused or comprehensive manual penetration testing. Focused manual penetration testing is used to identify specific vulnerabilities within a certain domains. It will examine specific flaw categories that currently require manual inspection to determine adequately. On the other hand, comprehensive manual penetration testing is used to assess a more situational condition and it will identify discrete vulnerabilities. Last important step is to combine automated and manual penetration testing results.

With this combined results, penetration testers are able to eliminates false positive, and hopefully identify false negative issues before they report the testing result to the clients. Good teams are supposed to be able to create an easy-to-understand reports which highlight the most important issues and provide solution. More important, this report should be able to be understood by the executives so these people would know what steps to be taken to protect their company’s data and information.