Penetration Testing mailing list archives
How would you describe the risk if a company doesn't do penetration tests?
From: Sebastiaan <littlebighuman () gmail com>
Date: Thu, 17 Sep 2009 13:55:05 +0200
I'm currently doing an audit. Part of the audit scope is to audit the penetration testing methodologies that are used. Now for the risk/control matrix I have to come up with a good description of a risk of not having penetration tests done. We had discussions like this before on the list, basically concluding that pen-testing only shows you that that specific pen-tester can't hack into/harm your systems, etc.
From a complaince point of view they run the risk of not being
complaint (because of PCI, local law, etc) but I need a better, juicer "risk" description ;) ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
- Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)