Pen testing
I’m seeing a lot of posts about Pen Testing, specifically Tom’s Dave’s over at Matasano. On that post, Dave is commenting on an article for Information Security Magazine.
I’m not going to comment on Dave’s comments to the comments made by others. Wow….
What I will do is offer yet another reason to perform a pen test/audit; and that is to purchase a deliverable that your marketing teams can use. For example, our firm plans on showing the resultant “certification” from the auditors to potential clients to demonstrate that we are reasonably secure and that their data will be protected while its on our network. This can give us the edge over competitors when the client we’re pursuing happens to be the government or other security-consious entity.
We will also, of course be using the results to further advance our security infrastructure and to correct any problems found in said test. We aren’t bound by PCI, SOX, or many others, so this isn’t done in the vain of compliance. Its actually done to find out how secure we really are. Sure, I can tell my boss all day ‘we’re secure’ just as easily as the CFO can say ‘we don’t cook the books.’ But we still have an annual audit of our finances by a third party and now we’re starting a similar practice within our IT department.
Will I be able to use the report to request more funding? Abso-frickin-lutely. Will the report show problems in my security design? If it doesn’t I won’t pay them because they obviously didn’t do the right job.
Another reason for the audit is to get professional opinion on where we should focus our energy next in improving our security infrastructure. For example; we have the basics addressed and now have a solid security platform built. We have solid patch management, centrally managed AV, control of inbound email attachments, strict ingress and egress firewall filtering, IPS technology as well as endpoint HIPS on laptops (in some cases generations deep on our laptop replacement cycle). We established routes of communication for the security group and we have tried and true incident response procedures.
What we don’t have is data classification, data retention policies, data access policies, etc. We plan on discussing all of this with the security group so they can provide more information to help us decide which way to go from here.
So no I don’t think pen tests are snake oil any more than I think IPS is a dead technology or worms are so ’90′s.
Actually, the post was mine not Tom’s. And you are spot on…
By Dave G. on 03.13.07 9:38 pm
My bad! I’m so used to seeing him post there…
By Michael on 03.14.07 7:45 am
The Pen Test subject is becoming a game of tag, sorta. Its interesting to see ideas knock around from blog to blog.
By Michael on 03.15.07 3:21 pm
[...] In response to Dave, Michael over at MCWresearch ads his $.02 in a very good defense for the traditional reasons for penetration testing. [...]
Pen Testing A go go
Lots of interesting chat on the reasons to Pen Test, or not from various blogs starting over here at techtarget then rapidly spreading out over the blogosphere (hate that word but it’s the only one going) to Matasano mcwresearch, Security…