Penetration Testing mailing list archives

How would you describe the risk if a company doesn't do penetration tests?

From: Sebastiaan <littlebighuman () gmail com>
Date: Thu, 17 Sep 2009 13:55:05 +0200

I'm currently doing an audit. Part of the audit scope is to audit the
penetration testing methodologies that are used.

Now for the risk/control matrix I have to come up with a good
description of a risk of not having penetration tests done.

We had discussions like this before on the list, basically concluding
that pen-testing only shows you that that specific pen-tester can't
hack into/harm your systems, etc.

From a complaince point of view they run the risk of not being

complaint (because of PCI, local law, etc) but I need a better, juicer
"risk" description ;)

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
  - Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
  - Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)