Why do we Pen Test?

[Lv4]

Why do you pen test? - Once again, for me it is regulatory compliance (SOX, PCI, etc.) plus my boss is very security oriented (CISSM) and wants to make sure our holes are plugged before someone else finds it.

Why don't you pen test? - n/a

What is the value? - finding and patching a hole before it can be exploited. We are a multi billion dollar company and all of our business is done over the internet. If I can find and patch a hole that would have cost the company a few million dollars then I have done my job. If I don't find that hole, or we never even looked for it, then the company is hurt financially and their reputation is tarnished.

Who (what functions) should be doing the testing? - that is really going to depend on the type of business. We do both internal and external testing. The security department is not related to the rest of MIS/IT even though we work closely with them. We also contract out to a couple of different companies that do everything from full "black box" testing, to informed application testing.

[Aspman]

Why do you pen test?

To maintain our compliance with BSI7799/ISO27000
We're not certified but we make best endevours to be compliant.


Why don't you pen test?
^

What is the value?

It's best practice and we use the results of a pen test to push for better practice in some areas where the guys can be sloppy if they're not checked.
It's also used to contruct action plans to reduce the organisations overall risk.


Who (what functions) should be doing the testing?

Annual pen test is carried out by a trusted 3rd party. The 3rd party should be rotated every couple of years.
Internally we plan to carry out a vulnerability test on new servers before they go live in the DMZ. This isn't to the same standard as a professional pen test. It would be carried out by me. I don't work for IT and have sufficient independence to do it (but not the training yet).

[cryptocrack]

Originally posted here by thehorse13
1) Regulatory compliance line item (PCI, HSPD-12 and HIPAA in my case) for risk assessment. The GREATEST risk is the unknown. Unless you pen test, you don't know if there are vulnerabilities. Ask your management chain if they are willing to sign off on an unknown risk. Watch how fast the attitude changes.

--TH13

Well said. And that is why.

[genXer]

Just thought to include this quick for some more information. CSO magazine this month has an interesting article on penetration testing:

Security-Penetration Testing

Penetration tests are falling in popularity. Here are the keys to making them valuable again.

http://www.csoonline.com/read/070106...n-testing.html

Some more quotes - ok the beginning and ending paragraphs:

Steve Katz sat at his desk, reading an e-mail that he had hoped never to see. An outsider had access to the systems at his company. Katz, who was CISO at a large
financial firm, would have to tell his boss. And that could be the start of something ugly.

The silver lining for Katz was this: The outsider was an ethical hacker Katz had hired to see if the company’s systems could be penetrated. While it wouldn’t be fun to deliver the news—“the guy had become a user of the system. He could’ve probably gotten access to critical applications,” Katz says—at least it was just a penetration test.

...
..
.

So while some CSOs may be grumbling about pen tests, it’s clear that others want them. As a consultant, Pfeil says pen testing occupies most of his time. “Pen tests were a valuable tool in my life as a CSO, and they still are,” he says. CISOs just need to apply these lessons to make sure they’re getting the value they should.