About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The economic failures of penetration testing- 1858

ZeyuPosted 2 Months Ago
  • The failure of the penetration testing market is framed as a technical problem. According to this author, they feel that it's an economic incentives problem. It rewards the appearance of security over the actual reduction of risk at the company. Because of this, "it is not a market for outcomes, it is a market for signals."
  • The author compares the market to used car sales. The seller knows more about the car's quality than the buyer. So, the price averages out to an expected quality, leaving the higher-quality companies out of business. In pentesting, it's much of the same: the buyer doesn't know where the quality stands. So, they buy certifications and compliance rather than actual security. This leaves us at an equilibrium where an acceptable pentest is all that is gotten.
  • The next issue is around bad incentives. Security teams are evaluated on the audit access rather than the security posture. This makes them incentivized to commission work to pass compliance checks with minimal friction. If a pentest uncovers real issues, this is too much work to deal with and looks bad on them. Because of the friction of fixing issues, insecurity becomes a form of organizational equilibrium
  • Compliance creates a distorted inventory by acting as a demand proxy for security. Pentests are bought not to find issues but to deal with a checklist. Success is often defined by the existence of a report and not the absence of exploitation paths.
  • Flat fees/hourly rates in pentesting make this all a race to the bottom in price. This creates a market where firms reduce costs through checklists and junior staffing. Why is price competed on? The quality of a pentest is largely unobservable. The market prices are not for risk reduction but plausibility deniability.
  • They have a few recommendations on how to fix this in the future: it's all about aligning incentives. For the pentesters, we should move away from one-off pentests to long-term engagements with continuous outcomes from the seller. Right now, compliance is considered security, which is bad. Compliance is a lagging indicator of security. They should be the byproducts of a secure system and not the objective by itself.
  • In general, the market doesn't value high-signal work because it costs more money and it creates unwanted work. They have a great quote at the end that sums everything up: "hey mirror the broader economics of prevention: costs are immediate, benefits are invisible, and success is defined by the absence of events that cannot be proven to have been avoided."

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed