Pentesters do not really make the world more secure

Most big clients I have been working with lately have managed to incorporate pentesting into their regular process. Almost every new application is pentested by a consulting company. The findings are presented during a meeting with the Security Officer and the action plan is approved by the project leader…Security is increasing and everything is moving forward right?

Not quite so. It takes a second pentest a couple of years later, either because of a routine check or following a major upgrade, to realize that nothing has really changed since!

I am not talking about RC4 algorithms on OpenSSL, Clickjacking and other dumb vulnerabilities, but Stored XSS, SQL injections, Direct object references… The sort of vulnerabilities that should not be present on a freaking cash flow application… Yet here there are, two years later still not fixed.

I can’t help but wonder who’s fault is that :
  • The project leader for budgetting a full scale pentest at a low 10k
  • The consulting company for assigning the job to an intern to maximize revenues
  • The same intern who had no clue how to remediate an SQL injection, and probably missed 80% of the vulnerabilities?
  • The developer who dismissed the vulnerability because the recommendation was poorly written?
  • The project leader in charge that did not properly validate the remediation actions?
  • The vendor who fixed the vulnerabilities in its new version, but charges 30k for a licence upgrade?
  • The Security Officer with little to no power inside an organization?

What I am trying to say is, pentest the shit out of everything, have fun, but do not be so naive as to think that you are making your client more secure…Only they can do that.