Penetration Testing versus Security Architecture Assessments


It is worth making comment on the positioning of a penetration test and a security architecture review or assessment. Penetration testing services are available from many organisations and are generally well understood and widely utilised throughout the security community.


Firstly, both penetration testing and architecture assessments are complementary to each other as they achieve different goals and can uncover different issues. 


The primary goal of a penetration test is to find vectors to break into an organisation and gain access to key assets in a controlled and ethical manner. At the most fundamental level, Penetration tests are performed in much the same way as a malicious hacker would attempt an intrusion. They looks for open attack vectors and vulnerabilities which can be exploited. The goal being to find them and close them ahead of a malicious hacker.


Penetration tests are a practical simulated attack on the organisation. In many cases penetration tests will achieve a successful intrusion or intrusions through one or more exploitable attack vectors. In these cases the reason for the successful attack can be analysed and remediated. Commonly this will mean updating an operating system or application to close an open vulnerability. Such findings may well be the result of a process problem, sometime small, for example a single patch was missed during a patching cycle, but sometimes more significant, for example, a larger scale inadequate patching or software maintenance process.


Penetration testing services generally do not look at the underlying architecture. There are many organisations who have architectural deficiencies, but with no open attack vector at the time of a penetration test. In these cases, the penetration test will likely not pick up a high risk issue in the network, should it exist. Let me provide an example. Let's assume that a network has a poorly designed or outdated Internet DMZ architecture where a server, if successfully exploited and owned, would provide open access deeper into other parts of the network. Say at the time of the penetration test that server was at recent patch levels with no known exploitable vulnerabilities. Then a penetration test would not detect any issue. At a later point in time, a critical vulnerability is announced which now leaves the previously tested server vulnerable. We now have a fully exploitable path for an attacker to gain entry deep into the network. More importantly, this is one of many situations which would not have been detected through a penetration test alone. 


I am not trying to suggest that penetration testing is not a necessary or valuable service - it is. But the limits of what it can achieve should be well understood. 


Architecture analysis, architecture reviews and assessments provide a different approach with different goals. This approach is entirely complementary to penetration testing services. An architectural analysis, as the name suggests, is designed to find architectural issues which can allow an intrusion under certain conditions, or constitute a high risk deployment. Today, many networks have grown organically, or have had multiple groups of personnel working on the network throughout its life. All too often new services are deployed with tight timeframes, i.e. The "just get it working" approach. As a result sub-optimal or poor architectures get deployed and can remain for many years. These are often time bombs waiting to be exploited and can pose very significant business risks.


Sound security architecture involves many fundamental design principals. Dramatic changes have occurred in the security landscape over the last few years, and the use of sound security  architecture principals is now more important than ever. In in this day and age, circa 2015, newer architectural approaches such as Kill Chains are being recognised for their benefits. Adopting these architectural approaches is occurring in thought leading organisations which solid outcomes.


I hope this brief blog post has helped position the benefits of architectural assessments in comparisons to penetration testing.