Read on Twitter
A random thought: Offensive security testing has a genuinely important role. But right now pentesting & red teaming are typically being (mis)used by organizations, and the way they're being misused actually illustrates important things about the lousy state of security overall.
The way adversarial testing is supposed to work is that you take systems and plans which seem solid on paper, and subject them to attack by a human opponent using tools & techniques to accomplish actions. The aim is to reveal weaknesses and failings that aren't obvious on paper.
But, at least from what I understand and hear all the time, most findings from offense testing aren't like those kinds of issues.
Most are weaknesses that should have been, or even actually were, quite obvious to the organization "on paper" but yet were not corrected.
Most are weaknesses that should have been, or even actually were, quite obvious to the organization "on paper" but yet were not corrected.
Where an organization does not correct significant, known, persistent security deficiencies that are exploitable by threats the organization needs to defend against before external prompting comes in, that is a sign of serious dysfunction.
Put more directly: Offensive testers should not need to try to persuade organizations to fix enduring, obvious, easy-to-attack weaknesses.
The fact that they haven't been fixed yet says significant organization problems exist in how that organization treats security.
The fact that they haven't been fixed yet says significant organization problems exist in how that organization treats security.
And finally, I'm dubious about the "But we demonstrate the risk is real!" thing. With newer or more technically complex issues, I could buy that. But an org that is competent at fire safety doesn't need a demo of something burning down to know having working smoke alarms matters.
In sum, it's a inefficient use of resources to task offensive security testers with assessing the networks of organizations that lack foundational competence or concern about security.
(Unless, perhaps, it's part of a working oversight means that can actually require change.)
(Unless, perhaps, it's part of a working oversight means that can actually require change.)
