No flaws found in OpenVPN software. Our response to the CVE-2019-14899 vulnerability report.

Should Pen-Testing Be Up For Debate?

Recap from the July 23rd, 2019 CISO/Security Vendor Relationship Podcast

by Lydia Pert

Cyber attacks can be costly to any organization. They can destroy systems, lose organizations money, and cause reputational damage — but performing a penetration test can help protect your organization and its network. With the numerous security breaches taking place around the world, there is no doubt that penetration testing is one of the most critical components for securing sensitive organizational data.

Penetration testing is conducted to expose potential risks. This hands-on approach allows testers to launch a variety of attacks in a range of conditions to discover critical issues and identify ways to improve overall security. But, like any security mechanism, it’s not perfect. In the most recent Cloud Security Tip, Steve Prentice explains some of the problems with pen-testing — and why organizations should still test anyway.

Pros and Cons of Pen-Testing

Penetration testing is generally acknowledged as an essential aspect of cybersecurity, but is often subjected to debate — and more than one cybersecurity organization has pointed out that there are a few flaws in the pen-testing concept that make it worth a second look. Here is a brief outline of the pros and cons of penetration testing:


  • Introduces a proactive security element.
  • Identifies vulnerabilities in your organization.
  • Assesses said organizational vulnerabilities.
  • Provides specific advice for improvement.
  • Tailored to meet your organizations needs.


  • Usually requires hiring an outside testing firm.
  • The test success depends on the skills of the tester.
  • Improper tests can cause a lot of damage.
  • Must employ realistic test conditions for accurate results.
  • Successful testing can lead to a false sense of security.

pen testing cloud security tip quote
But while penetration testing is not a cure-all — it should not be disregarded. Recent data breach statistics suggest that small to medium-sized businesses are at the highest risk for breaches, which means these organizations need to be very proactive. Penetration testing could be a great step for companies to take — assuming the leadership knows how to mitigate the risks.

Mitigating Pen-Testing Disadvantages

If you are considering penetration testing for your organization, it is crucial to ensure that your pentester has the necessary skills and experience. Otherwise, they could unnecessarily disrupt business operations, or even expose the network and resources to real risk. It might be tempting to hire a lesser-qualified tester to keep the price low, but it could end up costing you far more down the road.

Also keep in mind that pen-testing is not a full security audit, and it is unlikely that every single vulnerability will be identified. Don’t allow yourself to be lulled into a false sense of security — no matter what the test does (or does not) find, there will never be a time to let your guard down or stop prioritizing your cybersecurity initiatives.

Wrapping It Up

Opinions about pen-testing will always be divided — but savvy business leader must go back to a fundamental analytical question: “what do we not know that we don’t know?” While penetration testing should never be considered a single protective measure, it should be seen as an essential component of a broader cybersecurity approach.

In addition to penetration testing, a reliable business VPN such as OpenVPN Access Server can help keep your business network secure and defended — and offers top-notch cybersecurity, remote access, and access control. Access Server is free to install and use for a maximum of 2 simultaneous VPN connections, so you can try it without having to pay first. If you need more connections, the cost is a $15.00 license fee per connected device per year — all updates and 24/7 support included.