Penetration Testing mailing list archives
Re: How would you describe the risk if a company doesn't do penetration tests?
From: Sebastiaan <littlebighuman () gmail com>
Date: Mon, 21 Sep 2009 10:55:13 +0200
Thanks all, very interesting and helpfull. JoePete, I get what you are saying. I came up with something like this (please forgive my English, it's not my native language): Risks of not (regulary) pen-testing: - No additional (on top of the regular vuln scanning) confirmation if mitigating controls function correctly; - Not benefit from the additional (on top of the regular vuln scanning) finding of vulnerabilities. On 9/17/09, JoePete <joepete () joepete com> wrote:
On Thu, 2009-09-17 at 13:55 +0200, Sebastiaan wrote:From a complaince point of view they run the risk of not beingcomplaint (because of PCI, local law, etc) but I need a better, juicer "risk" description ;)Pen Testing should not be viewed as a way of measuring risk, but instead a way of measuring compliance or mitigation. Yes, I guess technically, there is risk to not complying (regulatory slap on the wrist, etc.), but the larger reason why you test a system is affirming some mitigating measure and the value (even in dollars) of it. To analogize your question, it's like asking what is the risk in not testing your smoke detectors. None - other than you have no idea if those are really smoke detectors in your house. The presence or absence of them does nothing to change the value of your house, the possibility of fire or the combustibility of items in your home. Similarly, pen testing won't change the value of information assets or the presence of threats and vulnerabilities (yes, it may reveal threats and vulnerabilities you didn't know). We see this in the reverse all too often: We test a system but never patch it; testing by itself proves nothing. Ultimately, that is the argument for management - testing confirms mitigation. Add up the cost of all the hardware, software, and policy you buy to "make you secure" and that is the value of testing. -- JoePete
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
- Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)