The English language evolves and changes over time and new words are created. In many cases, simply combining the different sounds from two words can make a new one. “Smog” from smoke and fog, “malware” from malicious and software, and internet from inter-networking are just a few examples. There’s even a term for these words — portmanteau words — a reference to a suitcase with two compartments.
According to the Merriam-Webster dictionary:
In Lewis Carroll’s Through the Looking Glass, Alice asks Humpty Dumpty to explain words from the nonsense poem “Jabberwocky” and is told that slithy is “like a portmanteau — there are two meanings packed up into one word.”
In the application security space, we have created a portmanteau of our own, the formal combination of “penetration” and “test” into pentest. With this post we would like to propose that there is also a different semantic meaning between “Penetration Test” and “pentest”.
Why all the grammatical fuss?
Clarity and consistency are two big reasons. Over the past decade terms like “penetration test,” “pen test” and the capitalized combo, “PenTest” have all been used, but we believe there’s an important distinction to be made by using the verb pentest. A “penetration test” and “pentest” today reflect very different things. When technology evolves and processes change, the words we use should convey what is actually provided.
As computers gained the ability to exchange data across communication lines in the mid-1960s, computer security experts recognized the risk of hackers penetrating those communication lines. Government and businesses created teams that would go on the hunt for vulnerabilities and test the ability of computer networks to resist attack.
Initially it doesn’t sound all that different from what we still see today. We suggest that a penetration test is a discrete event, typically covering a single system and resulting in a static report. Many providers are still delivering penetration tests, perhaps on an annual or semi-annual basis with the subsequent PDF report of vulnerabilities.
But a lot has changed in forty years, especially when it comes to software development. In an era when enterprise software applications took years to develop and subsequent updates also had their own lifecycles, a penetration test was conducted and the report was used to fix vulnerabilities prior to release. Can the same process deliver value when software is pushed out daily on APIs, mobile platforms and the cloud?
Through the Looking Glass begins with Alice climbing through a mirror to a world she sees beyond it. We believe we are already there and our wording just needs to catch up.
That’s where “pentest” comes in. Pentest is a verb that occurs frequently (pentesting), if not constantly. It’s the smaller, faster, more agile offspring of its grammatical relative. Pentesting is the logical and necessary solution to enhance the security of modern software development practices that are operating on demand in the cloud.
A penetration test denotes a single event in time, whereas pentesting occurs in real time. You can and should pentest an app, and we want more developers and security teams to ‘pentest apps’ on an ongoing basis. By removing one small space, we strive to eliminate a big space between the security experts who find vulnerabilities and the software experts who fix them — whether you think of that “space” in terms of development cycles or security risks.