A number of providers now offer subscription-based penetration testing services. How do they compare to traditional pen testing, and how should I determine if this is the right option for my enterprise?
Ask the Expert
Perplexed about network security? Send your network security-related questions today! (All questions are anonymous)
Subscription-based penetration testing services have really caught on recently. In a nutshell, customers who use a vendor's cloud and managed security services platform will generally be allowed to use a vast array of penetration tools, scripts and other such resources from within a cloud environment. What this essentially amounts to is penetration testing on demand. Quite frankly, I'm a little surprised that this trend hasn't caught on sooner.
Traditional penetration testing services involve an organization paying a third-party consultant on a one-off basis to conduct a penetration exercise on its network. Most organizations run pen tests about once or twice a year; if the organization is especially vigilant or makes a number of significant changes to its network and needs to comply with PCI DSS, such exercises can take place more frequently. While testing reveals some rather valuable information with regard to enterprise vulnerabilities, it happens so infrequently that the information is a mere snapshot of reality.
In-house penetration testing is hard to manage successfully. Obviously a certain set of tools is needed, which generally are affordable, but what's more important is having a trained, experienced penetration tester on staff. For large organizations that must run pen tests to meet compliance mandates, it can be economically viable to invest in hiring an experienced pen-tester or training an existing employee. Yet for the majority of enterprises, third-party pen testing is the easier choice.
What subscription-based penetration testing vendors are doing now is working toward dramatically shifting the paradigm to something that is more conducive to real-time penetration testing. For example, Microsoft releases patches and updates the second Tuesday of each month. If your network's last penetration test was conducted two months ago, do you know how these patches or updates truly affect your network? With a subscription-based penetration service, immediate testing can be performed with regard to these and many other updates.
In my opinion, if your enterprise has the financial means to pay for on-demand penetration testing, I would definitely recommend adopting such a service.
This was first published in February 2014