Penetration Testing mailing list archives
Re: How would you describe the risk if a company doesn't do penetration tests?
From: Trojacek <trojacek () gmail com>
Date: Thu, 17 Sep 2009 14:09:17 -0500
Sebastiaan, Perhaps lack of proper management awareness / false sense of security. The penetration test if done properly can be an invaluable training tool by raising management's awareness of the depth and breadth of security issues within the organization. Without such testing, personnel could be lured into a false sense of security. Of course, this still does not eliminate the occurrence of various singularities, but it should at least prepare management to respond to such eventualities. In addition, you could probably cite performance concerns. For example, the Six Sigma methodology basically requires a check up to verify that processes work. It may be useful to create an analogy. How often do they inspect the fire extinguishers to verify they are working? How about having the fire chief show up for a random inspection / drill? How often does some one run through the building setting fire to things to see if the fire department will show up? On Thu, Sep 17, 2009 at 6:55 AM, Sebastiaan <littlebighuman () gmail com> wrote:
I'm currently doing an audit. Part of the audit scope is to audit the penetration testing methodologies that are used. Now for the risk/control matrix I have to come up with a good description of a risk of not having penetration tests done. We had discussions like this before on the list, basically concluding that pen-testing only shows you that that specific pen-tester can't hack into/harm your systems, etc. From a complaince point of view they run the risk of not being complaint (because of PCI, local law, etc) but I need a better, juicer "risk" description ;) ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
- Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)