Re: How would you describe the risk if a company doesn't do penetration tests?

[JoePete <joepete () joepete com>]

On Thu, 2009-09-17 at 13:55 +0200, Sebastiaan wrote:
> > From a complaince point of view they run the risk of not being
> complaint (because of PCI, local law, etc) but I need a better, juicer
> "risk" description ;)

Pen Testing should not be viewed as a way of measuring risk, but instead
a way of measuring compliance or mitigation. Yes, I guess technically,
there is risk to not complying (regulatory slap on the wrist, etc.), but
the larger reason why you test a system is affirming some mitigating
measure and the value (even in dollars) of it.

To analogize your question, it's like asking what is the risk in not
testing your smoke detectors. None - other than you have no idea if
those are really smoke detectors in your house. The presence or absence
of them does nothing to change the value of your house, the possibility
of fire or the combustibility of items in your home. Similarly, pen
testing won't change the value of information assets or the presence of
threats and vulnerabilities (yes, it may reveal threats and
vulnerabilities you didn't know). We see this in the reverse all too
often: We test a system but never patch it; testing by itself proves
nothing.

Ultimately, that is the argument for management - testing confirms
mitigation. Add up the cost of all the hardware, software, and policy
you buy to "make you secure" and that is the value of testing. 

--
JoePete


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------