animind - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How often should businesses conduct pen tests?

Depending on whom you talk to, pen tests should be done annually or monthly. Expert Kevin Beaver discusses how to find your organization's answer.

My organization conducts penetration tests according to compliance regulations, but I've heard that it may be better to do the testing more often. What's the best way to determine how often penetration testing is needed? Are there certain organizations or industries that should or should not do it more often?

This is a great question that's often taken for granted. The challenge is, there's no one best answer. Similar to the questions "How often should I exercise?", "How often should I go for a dental cleaning?" and "How often should I change the oil in my car?", there are so many variables when it comes to penetration testing -- such as network complexity, how often systems and applications are changed, budget, and so on. Ask 100 people and you'll probably get 100 different answers. Of course, when third parties are involved (e.g., dentists, mechanics and security consultants), they might be inclined to recommend whatever is in their best interest, so be careful.

Here's my two cents' worth: What are you trying to accomplish with penetration testing? It may be to satisfy a compliance checkbox or to meet customer or business partner requirements. Hopefully, in the end, it's to minimize business risks. Given that, you need to do it as often as is necessary to keep your security risks to a manageable level.

All things considered -- and in trying to be reasonable -- I have found that performing penetration tests every quarter works well. Some people do it every six months or just once per year. Some higher-risk organizations such as financial services companies and defense contractors actually do it in real time using automated tools. Again, it depends on a number of variables.

Above all else, you need to make sure you're doing the proper testing -- "penetration testing" in the purest sense is rarely enough. Neither are higher-level checklist audits. Relying on plain vanilla vulnerability scans is a surefire way to facilitate a breach. I prefer to focus on performing "security assessments" that look at all the right things rather than limiting your tests to whatever someone is asking you to do.

In the end, all systems and applications are fair game for attack. More important than how often you should test is the need for your business to ensure that it's performing its security tests effectively and consistently over time.

Ask the Expert!
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)

Next Steps

Check out SearchNetworking's penetration testing guide

Learn how to limit pen test risks by limiting the scope of the test

This was last published in January 2015

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How often does your organization perform pen tests?

My organization has never had a PEN test done, should we know what the tester is going to be looking for so we can prepare for it?

You bet...Properly-set expectations and scoping are half the battle. Here are some additional pieces I've written about things to consider when scoping for your security tests:

The most important thing is to not get caught up in semantics and, instead, review the security of everything that matters.

Best of luck!
I believe penetration tests should be done on a weekly basis if you need a guarantee of your security as new threats are created everyday.
Thanks e48489. That'd be one heck of a budget! Every situation is different. If you can justify the time/cost/effort weekly, that's excellent. We need more businesses like yours.

I'm not convinced new threats are created every flaws/exploits emerge in near real time and network complexity grows with that but the threats such as criminal hackers and malware are fairly static, no?