My organization conducts penetration tests according to compliance regulations, but I've heard that it may be better...
to do the testing more often. What's the best way to determine how often penetration testing is needed? Are there certain organizations or industries that should or should not do it more often?
This is a great question that's often taken for granted. The challenge is, there's no one best answer. Similar to the questions "How often should I exercise?", "How often should I go for a dental cleaning?" and "How often should I change the oil in my car?", there are so many variables when it comes to penetration testing -- such as network complexity, how often systems and applications are changed, budget, and so on. Ask 100 people and you'll probably get 100 different answers. Of course, when third parties are involved (e.g., dentists, mechanics and security consultants), they might be inclined to recommend whatever is in their best interest, so be careful.
Here's my two cents' worth: What are you trying to accomplish with penetration testing? It may be to satisfy a compliance checkbox or to meet customer or business partner requirements. Hopefully, in the end, it's to minimize business risks. Given that, you need to do it as often as is necessary to keep your security risks to a manageable level.
All things considered -- and in trying to be reasonable -- I have found that performing penetration tests every quarter works well. Some people do it every six months or just once per year. Some higher-risk organizations such as financial services companies and defense contractors actually do it in real time using automated tools. Again, it depends on a number of variables.
Above all else, you need to make sure you're doing the proper testing -- "penetration testing" in the purest sense is rarely enough. Neither are higher-level checklist audits. Relying on plain vanilla vulnerability scans is a surefire way to facilitate a breach. I prefer to focus on performing "security assessments" that look at all the right things rather than limiting your tests to whatever someone is asking you to do.
In the end, all systems and applications are fair game for attack. More important than how often you should test is the need for your business to ensure that it's performing its security tests effectively and consistently over time.
Ask the Expert!
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)
Check out SearchNetworking's penetration testing guide
Learn how to limit pen test risks by limiting the scope of the test
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ...continue reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ...continue reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.