Standard penetration test: What are the common problems?

For organisations aiming to fortify their defences against increasingly clever cyber threats, a standard penetration test, or PEN test, is an indispensable process. This consists of simulating a cyber-attack in order to identify vulnerabilities. Think of it like trying to break into your own house to assess its security.

The deliberate, controlled and ethical probing of websites, applications and networks for such vulnerabilities provides an eye-opening new perspective on your security posture. It serves as a necessary reality check, revealing weaknesses that even the most carefully crafted systems might harbour.

Regardless of the precision and care invested in developing your digital infrastructure, certain vulnerabilities tend to surface with persistently regular penetration tests. These recurring issues are not anomalies but rather pervasive challenges that, if left unchecked, could lead to significant security breaches and loss of operations.

Based on recent observations and industry trends in 2025, two key culprits emerge time after time: the critical oversight of outdated software and the often-mismanaged nuances of user rights. Understanding and mitigating these common bugbears is fundamental to establishing a robust and dependable cyber security framework.

The classic: outdated software

The digital world is always changing, with new threats and attack types emerging with alarming frequency. Consequently, the software that underpins our digital operations must change too. Ignoring software updates is something akin to neglecting to repair a leaky roof and hoping that a bucket will suffice.

This complacency, unfortunately, leaves your systems susceptible to a whole host of cyber threats. These include ransomware that renders your valuable data inaccessible until a payment is made, sophisticated phishing attacks that use social engineering to manipulate employees into sharing sensitive information, and more.

The rationale behind software updates extends way beyond the addition of new features, refinements or visual upgrades. While these improvements are certainly welcome, their importance in an update package is secondary to patching security holes.

These vulnerabilities, once discovered, are often publicly disclosed, making them easy pickings for malicious actors. Thus, cybercriminals actively look for systems running outdated software, knowing that these unpatched flaws provide direct entry points into an organisation’s network.

The fact that this classic mistake has been highlighted by our standard penetration test time and time again reveals a systemic challenge within many organisations, often stemming from resource constraints, perceived operational disruptions or a simple lack of understanding regarding the immediate and severe risks involved.

However, the message remains clear: outdated software represents an open invitation for malicious activity. Each patch applied closes a potential door to compromise, while every neglected update keeps that door ajar. Prioritising and implementing a rigorous patch management strategy is a key requirement for maintaining digital security.

Behind the scenes: user rights management

Moving from the critically neglected to the subtly misunderstood, we address another common and often more insidious vulnerability identified by our standard penetration test: mismanaged user rights. This issue transcends simple software updates and instead involves the architectural integrity of an application’s security.

A common misconception, particularly among some developers, is that merely removing the visual presence of a button or an option for a user magically eliminates the underlying function it controls. This approach is a dangerous illusion of security.

The illusion of security

The practice of restricting access by removing a visual element, such as a button or a menu item, is a common yet fundamentally flawed security strategy. Developers might assume that if a user cannot see or interact with a particular control, they are thereby prevented from accessing its associated functionality.

However, this is a purely superficial measure rather than a genuine security control. The user interface (UI) is a presentation layer and does not dictate the permissible actions on the back end.

Why does this matter on a technical level?

• Front-end vs. back-end distinction

The visibility and interactivity of a button or any UI element are typically managed using client-side technologies such as Cascading Style Sheets (CSS) or JavaScript. These technologies operate entirely within the user’s web browser. While they control what the user sees and clicks, they do not, in themselves, alter or restrict the backend logic that processes requests. A client-side change can easily be bypassed.

• HTTP requests

A sophisticated user, or more critically, a malicious one, is not constrained by the visual interface. They can manually construct and send Hypertext Transfer Protocol (HTTP) requests directly to the application’s backend endpoints.

Even without a visible button, tools like Postman, cURL, or the developer console integrated into modern web browsers enable users to craft and dispatch these requests directly. If the backend is not equipped with robust validation, these direct requests can bypass any client-side ‘security’ measures entirely.

• Role-Based Access Control (RBAC)

Effective security measures, particularly those governing user permissions, must be implemented and enforced at the server or API level. This is where Role-Based Access Control (RBAC) comes into play.

RBAC ensures that access to specific functions and data is granted solely based on a user’s assigned role and the permissions associated with that role. It involves rigorous checks on every incoming request to verify that the authenticated user possesses the necessary rights to perform the requested action.

How Net-Defence can help

The pervasive challenges of outdated software and mismanaged user rights represent just some of the hurdles in maintaining a robust cyber security posture and are often identified with the help of a standard penetration test. To neglect these issues is to leave your digital door wide open for malicious actors to exploit.

Our cyber security testing services are designed to address these critical gaps head-on. We offer a complete suite of penetration testing methodologies, tailored to your specific needs, to accurately assess your business resilience and security posture.

Whether it’s simulating a real-world external attack through closed box testing, leveraging full system knowledge with glass box testing for deep-rooted vulnerabilities, or conducting more targeted assessments with translucent box testing, our specialist team is equipped to uncover your weak spots.

Beyond external threats, we also recognise the critical importance of internal vulnerabilities. Our internal penetration testing simulates attacks from the perspective of a malicious employee or compromised user, helping you evaluate the effectiveness of your internal security controls and identify how easily an insider could gain access or pivot to other sensitive systems.

Furthermore, our web application penetration testing delves deep into the design, coding, and deployment of your web applications, identifying flaws like Cross-Site Scripting (XSS), which could lead to unauthorised access or data manipulation.

We also offer automated penetration testing as a powerful initial sweep, quickly highlighting common security weaknesses and providing ongoing visibility, though we emphasise that it complements, rather than replaces, the in-depth analysis of our skilled human testers.

When you partner with our team for a standard penetration test, you can expect an extensive summary of your organisational security health, including a risk-based report for each identified vulnerability, clear evidence of findings and their real-world impact and retesting.