In a perfect world, security would drive compliance. However, generally this is not the case. In an effort to become compliant, companies are doing the bare minimum. While this may grant them the check mark from regulatory commissions, does this mean they are secure?
Let us take PCI for example. During standard PCI PenTests, the Penetration Testers are put into the PCI environment, which may only contain one system in a company of thousands. Generally, these systems are hardened, patched, and well monitored. This is great, but does that really mean the data is secure? Maybe it is secure, but maybe not. Just because the system does not have any vulnerabilities, does not mean the data is safe or the company even knows that the system houses clear text credit card numbers.
Penetration Testers are taught to think like the “bad guys”, and we understand the best chance of us obtaining the data is not just testing the “in scope” systems. Generally, somewhere on the network a system or user has access to these systems. If this is the case, the whole network should be in scope. Next, the Penetration Tester will look for low level systems on the network and compromise them, then use the compromised systems to launch more sophisticated attacks against other systems, eventually compromising the domain. Using elevated privileges, the Penetration Tester will attempt to access the in scope systems in the way the system was designed to be accessed. This is similar to the path an attacker would take.
What about client side attacks? Unfortunately, one of the easiest things to exploit is people. A system administrator can do everything right, and the company can still fall victim to attackers because of lack of awareness, training, or even just being upset that day. The answer to the previous question is yes; client side should be used in your Penetration Tests. Not only will it provide a baseline as how educated your users are, it can also help develop the awareness. Nothing says “oops” like a shell on a box.
Lastly, what about a third party hosted website? It is important to understand an attacker’s thought process regarding third party hosted applications, even though they are not connected to “your” systems. Let us say your third party hosted site is a catalog site, with a login for storing favorite items or wish lists. While this may not seem like a big deal, the odds are you have employees that use this site. Most users use the same password for multiple sites and applications. Also, these same people most likely registered with their work email, which makes identifying targets a lot easier. An attacker will also look for administrators of these types of sites; they generally are softer because they are hosted elsewhere. The attacker then uses the information and directs their sights on your hosted systems.
In summary, if you are looking for only compliance, then yes, only some of these are required. However, if you are looking for security, you will need them all. Limiting the Penetration Tester only limits your results.