If professional penetration testers are out of your budget, is doing it yourself better than not doing it at all?
I’m not going to say that I would recommend DIY pen testing over and above a professional consultancy, because I wouldn’t. However, neither would I say it’s a red flag idea. My rule of thumb would be to do what you are comfortable with, what management is comfortable with and what will do no harm. Which really means that you will be stopping short of real penetration testing and sticking with vulnerability assessments instead.
So, what’s the difference between a vulnerability assessment and an actual penetration test? The former is a way of identifying security issues within your organisation by producing, in effect, a list of vulnerabilities. A proper pen test, however, is much more goal-oriented and as such should be thought of as attack-simulated scenarios designed to hit a specific target such as accessing a particular database or finding and modifying a designated file. Done properly it’s not a list producer, but rather a methodology mapping tool.
