Penetration Testing mailing list archives

RE: Business justification for pentesting

From: Kyle Starkey <kstarkey () siegeworks com>
Date: Wed, 31 Aug 2005 12:05:59 -0600

I agree with the previous discussion on how to justify to the business the
need for Pen-Testing.  In addtion to their comments there are some good
writeups in the SecurityFocus Infocus Pen-Testing section... They are from
2003, but still hold some good information... 

http://www.securityfocus.com/infocus/1715
http://www.securityfocus.com/infocus/1718

Additionally it is a good idea to use something like Octave Risk assessment
methodology to assess your organizations risk posture.  The use of Octave
will allow you to determine your critical assets and their risks.  This sort
of data will not only allow your justify ROI on pen-testing, but will also
allow you to determine what assets to focus your security teams resources
on.

Cert discusses Octave: 
http://www.cert.org/octave/

Hope these help...
-Kyle

Kyle R. Starkey
Senior Security Consultant
CISSP # 31718
Siegeworks LLC


-----Original Message-----
From: rmeijer () xs4all nl [mailto:rmeijer () xs4all nl] 
Sent: Wednesday, August 31, 2005 6:47 AM
To: sectraq () gmail com
Cc: pen-test () securityfocus com
Subject: Re: Business justification for pentesting

hi all,

a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such figures?


This is not something for a pentester to be concerned with in most cases.
The value of assets should be evaluated only in the context of a risk
assesment done by a skilled statistician, not by a skilled infosec
technisian.

In the past I've tried to bring together some of the
statistician/technisian/management infosec issues in a whitepaper on
risk assesment and incident response, but it has turend out to be
close to impossible to bring together these distinct views on infosec
in a way that not everyone thinks: 'that is the other guys specialty'.
You may wish to check out 'Security Incident Policy Enforcement' at
isecom.org to get somewhat of a grasp on this. The document focusses
on risk assesment in a IR context, but much of it can be seen in a
wider scope also.

2- are there any other means to justify pentesting for management except
for $$$?


Pentesting is just one of a wide range of security measures, there are
three ways to justify any security measures:

1  The projected financial footprint of the diverted risk is substantialy
   higher than the projected cost of the security measure.
2  The potential financial footprint of diverted risk would be very high
   and the projected cost of the measure not very substancial.
3) There is insufficient data to asses if either 1 or 2 is true, and the
   measure could supply this data.

As you see, only the third does not directly involve money as argument, but
I dont think pentesting could be categorized in that section very often.

3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.


In my research I have found no sign of any statistic information with
any usefull span that crosses company borders. This is very unfortunate,
as it makes risk assesments yield rather high spreads in their risk
densities, that makes building solid pollicies from them very dificult.
I personaly believe that this lack of statistics could be responsible for
a very large portion of overall infosec incident costs.

4- any other information you guys might find helpful in justifying a
pentest would be appriciated.

thnx in advance for ur help.

T.N





------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

RE: Business justification for pentesting Craig Wright (Sep 01)
- <Possible follow-ups>
- Re: Business justification for pentesting Leveque, Vincent E. (Sep 01)
- RE: Business justification for pentesting Craig Wright (Sep 01)
  - Re: Business justification for pentesting Kevin Reiter (Sep 02)
- RE: Business justification for pentesting Steve Manzuik (Sep 01)
- RE: Business justification for pentesting Vic N (Sep 01)
- RE: Business justification for pentesting Kyle Starkey (Sep 01)
- RE: Business justification for pentesting Craig Wright (Sep 02)
  - RE: Business justification for pentesting Vic N (Sep 02)
- RE: Business justification for pentesting Michael Gargiullo (Sep 02)
- RE: Business justification for pentesting Craig Wright (Sep 05)
  - RE: Business justification for pentesting Vic N (Sep 05)
- RE: Business justification for pentesting Craig Wright (Sep 06)