Penetration Testing mailing list archives

Re: How would you describe the risk if a company doesn't do penetration tests?

From: Cor Rosielle <cor () outpost24 com>
Date: Fri, 18 Sep 2009 11:21:30 +0200

If you pay a lot of money for all kinds of security measures, you just
might want to know if you're money is well spent. I know some companies
don't care and do whatever their auditors tell them to do to pass the
audit. But others still want to gain security. And those ones can
benefit from pentesting.

Good pentesters and analysts don't test how things are designed or
should work, they test how it actually works. As a result of those tests
they can tell where weak spots in the defense can be found.
And this is often different from how management thinks their IT
infrastructure is protected. So the result of the pentest gives the
customer a chance to consider additional protection.

Good pentesters and analysts also do not use secrets to magically get
access to a system. They use decent and scientific system test
methodologies like the OSSTMM (www.osstmm.org). Tests and analysis
according to OSSTMM also gives the possibility to predict the amount of
additional protection of a new security control. So if a customer can
choose between some alternative security controls, he can know which
control gives the best price/performance ratio.

But beware of the "pentesters" who only use a vulnerability scanner and
perhaps even "prove" your infrastructure is weak because they
"magically" got in using exploits someone else made. Best advice they
can give is to apply the patch that fixes the exploit. My kid sister can
give that advice too, even without testing. But a good pentester/analyst
can recommend how to protect your infrastructure, even without applying
the fix (although that is a good thing to start with) and how to protect
against future threats.

So, the proof of the pudding is in the eating. In my opinion proper
pentest does have value for companies who want to get more secure.

Cor Rosielle

Lab106
www.lab106.com

PS: I am a contributer to the open source OSSTMM and believe this
methodology assist in executing good pentests. I prefer it because you
can really contribute yourself and suggest changes to improve the
methodology.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
  - Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
  - Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)