Penetration Testing mailing list archives
Re: How would you describe the risk if a company doesn't do penetration tests?
From: Cor Rosielle <cor () outpost24 com>
Date: Fri, 18 Sep 2009 11:21:30 +0200
If you pay a lot of money for all kinds of security measures, you just might want to know if you're money is well spent. I know some companies don't care and do whatever their auditors tell them to do to pass the audit. But others still want to gain security. And those ones can benefit from pentesting. Good pentesters and analysts don't test how things are designed or should work, they test how it actually works. As a result of those tests they can tell where weak spots in the defense can be found. And this is often different from how management thinks their IT infrastructure is protected. So the result of the pentest gives the customer a chance to consider additional protection. Good pentesters and analysts also do not use secrets to magically get access to a system. They use decent and scientific system test methodologies like the OSSTMM (www.osstmm.org). Tests and analysis according to OSSTMM also gives the possibility to predict the amount of additional protection of a new security control. So if a customer can choose between some alternative security controls, he can know which control gives the best price/performance ratio. But beware of the "pentesters" who only use a vulnerability scanner and perhaps even "prove" your infrastructure is weak because they "magically" got in using exploits someone else made. Best advice they can give is to apply the patch that fixes the exploit. My kid sister can give that advice too, even without testing. But a good pentester/analyst can recommend how to protect your infrastructure, even without applying the fix (although that is a good thing to start with) and how to protect against future threats. So, the proof of the pudding is in the eating. In my opinion proper pentest does have value for companies who want to get more secure. Cor Rosielle Lab106 www.lab106.com PS: I am a contributer to the open source OSSTMM and believe this methodology assist in executing good pentests. I prefer it because you can really contribute yourself and suggest changes to improve the methodology. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
- Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)