Penetration Testing mailing list archives

Re: How would you describe the risk if a company doesn't do penetration tests?

From: Sebastiaan <littlebighuman () gmail com>
Date: Mon, 21 Sep 2009 10:55:13 +0200

Thanks all, very interesting and helpfull.

JoePete, I get what you are saying. I came up with something like this
(please forgive my English, it's not my native language):

Risks of not (regulary) pen-testing:
- No additional (on top of the regular vuln scanning) confirmation if
mitigating controls function correctly;
- Not benefit from the additional (on top of the regular vuln
scanning) finding of vulnerabilities.




On 9/17/09, JoePete <joepete () joepete com> wrote:

On Thu, 2009-09-17 at 13:55 +0200, Sebastiaan wrote:

From a complaince point of view they run the risk of not being

complaint (because of PCI, local law, etc) but I need a better, juicer
"risk" description ;)


Pen Testing should not be viewed as a way of measuring risk, but instead
a way of measuring compliance or mitigation. Yes, I guess technically,
there is risk to not complying (regulatory slap on the wrist, etc.), but
the larger reason why you test a system is affirming some mitigating
measure and the value (even in dollars) of it.

To analogize your question, it's like asking what is the risk in not
testing your smoke detectors. None - other than you have no idea if
those are really smoke detectors in your house. The presence or absence
of them does nothing to change the value of your house, the possibility
of fire or the combustibility of items in your home. Similarly, pen
testing won't change the value of information assets or the presence of
threats and vulnerabilities (yes, it may reveal threats and
vulnerabilities you didn't know). We see this in the reverse all too
often: We test a system but never patch it; testing by itself proves
nothing.

Ultimately, that is the argument for management - testing confirms
mitigation. Add up the cost of all the hardware, software, and policy
you buy to "make you secure" and that is the value of testing.

--
JoePete


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
  - Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
  - Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)