Pentesting is a typical cybersecurity process. It is an activity by which an analyst, with the least information possible about a target, tries to find security vulnerabilities on it. The target is defined by a scope, which can be one or more web applications, mobile apps, IP ranges, or any other different list of assets.
An analyst or a team of analysts execute a pentest following similar steps that would be followed by a real attacker: gather information, map the attack surface, identify vulnerabilities, and exploit them.
Vulnerability management is difficult. Many organizations aim to fix all the security vulnerabilities they can identify. They want to run a scan like Qualys and that everything come up green. In my opinion, it is a good and ambitious objective, but that strategy can be counter-productive.
The 12th of May, 2022, the United Stated of America (US) published the “Executive Order on Improving the Nation’s Cybersecurity“. This executive order was a direct consequence of the infamous SolarWinds incident that allegedly affected the US government. This regulation tries to unify, establish, and improve the cybersecurity policies and processes of the whole US Federal Government.
Today, 1st of November, many teams will be upgrading OpenSSL to fix the critical vulnerability that will be announced between 13:00 and 17:00 UTC. That will be possible only if they know where they have OpenSSL installed in their infrastructure. Organizations know that an inventory of assets is essential for security, however, few have one up-to-date. Even in the case a company has an inventory of assets and it is up-to-date, it might not include information about packages installed on operative systems, containers and container images.
Florencio Cano. Principal Product Security Analyst at Red Hat with focus on cloud services. Former Mercadona CISO. Opinions expressed are solely my own and do not express the views or opinions of my employer.