Penetration testing is the testing of computer systems and networks using hacker techniques. For many years authors have written texts in a succinct and easy to follow format on how you can conduct your own penetration testing. This has opened up the debate as to the importance of actually hiring a professional company to perform penetration tests - when there is so much information available for a company to perform these important tests on their own. The answer to that debate is largely dependent on how confident you are in the ability of your staff to perform penetration testing; but that is not the only thing that you should think about.
Our clients include people who are experts in their respective areas of technology. But having expertise in how a certain technology works is not the same as being an expert in how to secure that technology. To successfully secure a product, you must first know how to break it, and then how to apply effective countermeasures. This requires experience with a number of different enterprise environments, and an understanding of their complexities and the possible permutations of their implementation.
It is an established best practice that people should not audit their own work, but does this hold true for penetration testing your own systems? Often the internal staff doing the testing will have been involved in the original setup. It is difficult for a person to objectively review their own work. One could also argue that if a person was capable of finding security issues with their own work, then they should have corrected them at the time of implementation. Often a person is too immersed in the project that they are delivering to see the trees from the forest. Also, finding problems during a penetration test may be an acknowledgement that the work was not conducted properly in the first place " something that not all staff will be willing to admit.
In some organisations the team conducting the penetration test may be independent of other teams involved with implementing the solution. So this may overcome the previous argument to some degree. However, it is difficult to compare the skills of a penetration testing company that conducts hundreds of penetration tests per year to an in-house team which conducts perhaps a few tests a year against mainly a static environment. There will be large differences in the breadth of skills, experience, and currency of attack techniques.
While performing your own penetration tests internally is highly encouraged, it is important that you engage professionals who can understand and provide remedial advice on any issues which may be identified during a penetration test, otherwise you may be providing yourself with a false sense of security
Our clients include people who are experts in their respective areas of technology. But having expertise in how a certain technology works is not the same as being an expert in how to secure that technology. To successfully secure a product, you must first know how to break it, and then how to apply effective countermeasures. This requires experience with a number of different enterprise environments, and an understanding of their complexities and the possible permutations of their implementation.
It is an established best practice that people should not audit their own work, but does this hold true for penetration testing your own systems? Often the internal staff doing the testing will have been involved in the original setup. It is difficult for a person to objectively review their own work. One could also argue that if a person was capable of finding security issues with their own work, then they should have corrected them at the time of implementation. Often a person is too immersed in the project that they are delivering to see the trees from the forest. Also, finding problems during a penetration test may be an acknowledgement that the work was not conducted properly in the first place " something that not all staff will be willing to admit.
In some organisations the team conducting the penetration test may be independent of other teams involved with implementing the solution. So this may overcome the previous argument to some degree. However, it is difficult to compare the skills of a penetration testing company that conducts hundreds of penetration tests per year to an in-house team which conducts perhaps a few tests a year against mainly a static environment. There will be large differences in the breadth of skills, experience, and currency of attack techniques.
While performing your own penetration tests internally is highly encouraged, it is important that you engage professionals who can understand and provide remedial advice on any issues which may be identified during a penetration test, otherwise you may be providing yourself with a false sense of security
About the Author:
Sense of Security is a leading provider of IT security and risk management solutions. We are Australias premier network and application penetration testing company, and trusted IT security advisor to many of the countries largest organisations.
No comments:
Post a Comment