Security Testing and Penetration Testing Comparison
Owner
SEC often is managed as part of a programme's larger test campaign; whereas PEN testing often still is considered too specialised and managed instead by the Information Security Office (ISO). This need not necessarily be the case. The ISO though still needs to be confident in the security profile to allow change to migrate to, or stay in, production.Focus
SEC testing's focus is verifying and validating the security characteristics of the architecture and design, and specifically that controls required by the ISO have been successfully commissioned.Approach
SEC testing is inherently white-box. The architecture and design generally, and particularly the security architecture and design should be available, and necessarily inspected as part of the verification process. Specifically security controls are the obvious target of security test design and must be included; PEN testing in it's purest "penetration" approach is black box - i.e. the testing challenge is for an external agency, without the benefit of the programme's architecture and design, to penetrate or circumvent the controls in place. It's similar to the classic "double-blind" testing that was held in such high regard in test theory. Of course the more information the would-be penetrator can access the better their chances of finding a vulnerability. That's why there is necessary secrecy around (i) security architecture and design - which tends to be common across the industry, and (ii) security defects discovered -which aren't. Security defects really do need to be kept to a limited audience, even when they have been remedied because historical vulnerabilities could point to current inadequacies.Timing
PEN testing is generally the last phase of testing, just before release. This way it doesn't need to be repeated. That makes sense partly because it is usually an external agency that performs the penetration testing and repeat engagements to commission these specialists tends to show up very clearly in the budget.SEC testing is more flexible to it's placement in the overall test campaign, but early and late phase s make sense to give sufficient time for remediation and retesting.
