Re: Penetration tester or Ethical hacker future?

[James Kelly <macubergeek () comcast net>]

Fortunately or unfortunately pen testing seems to be the ONLY  
external security validation many organizations have.
You can't trust that to the IT staff (sys admins) who have a vested  
interest in status quo.
Many firms may have a CISO, but that person is largely a security  
policy person, not a technical security person (in most cases).
Additionally you have to separate out legal compliance issues from  
pure security issues.

When you consider all the above, the pen tester acts in a quasi  
auditing role in many instances. Given that, pen testing can be  
valuable within the limits of the budget.

Jk

On Aug 31, 2007, at 10:29 AM, Paul Melson wrote:

> Nikos Tsagarakis wrote:
>
> > I do not believe that penetration testing is a waste of money.
>
> Of course you don't, you're a pen tester!  And lots of customers don't
> believe it's a waste of money, either.  But for those that have  
> invested in
> pen-testing, they do it with the expectation that you'll find and  
> report the
> holes to them before the bad guys do.  And when a company spends on
> pen-testing and gets hacked anyway, it's pretty hard to convince  
> them of the
> value of those pen tests.
>
> PaulM


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------