A random thought: Offensive security testing has a genuinely important role. But right now pentesting & red teaming are typically being (mis)used by organizations, and the way they& #39;re being misused actually illustrates important things about the lousy state of security overall.
The way adversarial testing is supposed to work is that you take systems and plans which seem solid on paper, and subject them to attack by a human opponent using tools & techniques to accomplish actions. The aim is to reveal weaknesses and failings that aren& #39;t obvious on paper.
But, at least from what I understand and hear all the time, most findings from offense testing aren& #39;t like those kinds of issues.
Most are weaknesses that should have been, or even actually were, quite obvious to the organization "on paper" but yet were not corrected.
Most are weaknesses that should have been, or even actually were, quite obvious to the organization "on paper" but yet were not corrected.
Where an organization does not correct significant, known, persistent security deficiencies that are exploitable by threats the organization needs to defend against before external prompting comes in, that is a sign of serious dysfunction.
Put more directly: Offensive testers should not need to try to persuade organizations to fix enduring, obvious, easy-to-attack weaknesses.
The fact that they haven& #39;t been fixed yet says significant organization problems exist in how that organization treats security.
The fact that they haven& #39;t been fixed yet says significant organization problems exist in how that organization treats security.