Viewpoint: What if you can't afford pen-testing?

This article can also be found in the Premium Editorial Download: Information Security magazine: Nine tips to guarding your intellectual property:

Pen Testing Pluses
While I agree with Bruce Schneier and Marcus Ranum on the lack of benefit in paying someone to do penetration testing (Face-Off, March 2007), I completely disagree that it doesn't have value if you have the expertise--or at least willingness, patience and time--to do it yourself. This is something they don't address.

I'm constantly doing pen testing in my network using several tools, and it's for several reasons:

  • Security and vulnerability assessment of critical applications and servers.
  • Penetration is not just for immediate patch needs. Pen testing shows me the flow of my environment and helps classify types of traffic.
  • By pen testing and understanding what I face now, I can better understand how to avoid those same things in the future.
  • Clarification of threats--while you should know your network, that is not always the case. There will always be something out there that either wasn't in your control, or isn't in your realm of expertise.
Defining threats and where to look for them on your network saves time for those who don't live and breathe patching.

Mark Stanford
CIO, Stanford Technology Group


Finding a Happy Medium
I read, with many smiles, your article ("Balancing Act," March 2007). I agree with most of it, but having been an auditor and led a number of security consulting practices, I would argue with the comments of Jerry Freese.

Though he is essentially correct--technical controls are not more infallible than organizational and operational controls--my disagreement may be more on how and when the technology is selected and used. I believe that without these controls, the technology may not provide a more secure environment.

One other point: I have seen few information security programs that don't require security status reporting back to senior management. For executives to understand what they are getting for their secu-rity investment, they need to be provided insight on what is working and where risks are within an organization.

With this element missing, security issues get stove-piped. While this approach may reduce risks for the issue in question, it does not move the organization toward a proactive, risk management-based approach to securing an organization.

Thomas C. Funk
Security practice director, Virteva



Send your e-mails to feedback@infosecuritymag.com.


Security7Awards

Initiate
Circulate
Evaluate
Nominate.

Information Security magazine and SearchSecurity.com will honor innovative security practitioners in seven vertical markets this fall with our annual Security Seven Awards. The awards, to be handed out this fall at the Information Security Decisions conference in Chicago and featured in the magazine's November issue, will recognize the efforts, achievements and contributions of practitioners in financial services, telecommunications, manufacturing, energy, government, education and health care.

While vendor executives are not eligible, we're inviting you to nominate your most innovative practitioners. Nominees must have made a noteworthy contribution to their organizations or the security community in areas including research, product development and standards.

Download the nomination form at www.searchsecurity.com/securityseven and email it to securityseven@infosecuritymag.com.
Nomination Deadline: July 2.

This was first published in May 2007
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close