Benjamin Franklin has been credited with saying, “time is money,” and I can’t think of a statement that’s more accurate than that for pen-testers. In today’s blog, we’re going to discuss three things to look for in a penetration testing tool that will help you turn your time into money.
3 Things to Look for in a Penetration Testing Tool
The first thing to look for in a pen-testing tool is to be able to be used as a centralized toolset. I’m kind of a DIY’er – albeit not a great one – as I like to take on some small projects around the house. One thing that drives me nuts, is having to switch between multiple tools for one specific job. One recent task I took on was replacing all of the electrical outlets in my home. To take off the face plate of the outlet, I needed a small flat head screwdriver. Then, to remove the outlet from the wall, I needed a phillips-head. This drove me bonkers! I felt like I spent so much time flipping the screwdriver from end to end that I was never going to finish. If only they made a tool that had a phillips driver on one end and a flat head driver on the other! I think this is a great metaphor for how pen-testers use tools today. They use nmap for information gathering. Then, they may use vulnerability assessment scan results to add context to the nmap data. From there, they may try specific exploits from their favorite pen testing tool – or may try to use something like PowerShell or python scripts. Once done, they have to compile all of their findings from the many different tools and put that data into a report. All of this switching between tools and keeping track of data is very time consuming and cumbersome. This is why looking for a tool that can be used as a centralized toolset is so important.
The second thing to consider when looking for a pen-testing tool is for its ability to be customized. By definition, customize means, “to modify or build according to individual or personal specifications or preference.” Another thing to know about me is that I’m kind of a motorcycle guy. One of the reasons I chose the motorcycle I did was because of how many different customizable options it had. There were some things I liked about the bike and other things that I wanted to tweak. If the manufacturer told me I’d void my warranty if I changed my seat, I would’ve passed. Why? Because that would’ve meant every time I rode I would have been uncomfortable. And after a few rides of discomfort, the enjoyment of the open road would have been overshadowed by the stiff back, neck and shoulders. It wouldn’t have been worth it. I would’ve stopped riding and then had a really nice, expensive bike, collecting dust in the garage. The point being, while the bike was nice coming off of the factory floor, I needed to add a few things to allow it to fit me better. As you look for a pen-testing tool, finding a tool that allows you to add custom modules or create groups of modules to run in a manner that makes sense to you is something worth considering. Because if you can’t make it fit your needs, you’ll end up not using it.
Lastly, a pen-testing tool should be efficient. Like I stated in the opening, time is money. And as a society, we’re beginning to grab hold of this idea that automation makes our lives easier. Look at the Amazon Echo or even Google Home. These are the top two digital assistants on the market today. Why do people love them? Simple. Because automation saves time and makes us more efficient. I’m really looking forward to the day when I can simply belt out, “Hey Google, tell Bart (that would be my robots name if I had one) to fix the bed, fold the laundry and vacuum the floor.” By themselves, these tasks are simple and only take a few minutes each. But if you were to do each of these tasks every day, and each one takes you on average 5 min, that’s roughly 91 hours a year. If I were able to automate these duties, I’d have 91 hrs more to play with my kiddos or perhaps take an online class. You get the idea – automation makes everyone more efficient. Looking for a pen-testing tool that would allow you to automate the exploitation of the low hanging fruit or even automating simple tasks would make you more efficient as a pen-tester. The end result is more time thus putting more money in your pocket.