animind - Fotolia

How often should businesses conduct pen tests?

Depending on whom you talk to, pen tests should be done annually or monthly. Expert Kevin Beaver discusses how to find your organization's answer.

My organization conducts penetration tests according to compliance regulations, but I've heard that it may be better to do the testing more often. What's the best way to determine how often penetration testing is needed? Are there certain organizations or industries that should or should not do it more often?

This is a great question that's often taken for granted. The challenge is, there's no one best answer. Similar to the questions "How often should I exercise?", "How often should I go for a dental cleaning?" and "How often should I change the oil in my car?", there are so many variables when it comes to penetration testing -- such as network complexity, how often systems and applications are changed, budget, and so on. Ask 100 people and you'll probably get 100 different answers. Of course, when third parties are involved (e.g., dentists, mechanics and security consultants), they might be inclined to recommend whatever is in their best interest, so be careful.

Here's my two cents' worth: What are you trying to accomplish with penetration testing? It may be to satisfy a compliance checkbox or to meet customer or business partner requirements. Hopefully, in the end, it's to minimize business risks. Given that, you need to do it as often as is necessary to keep your security risks to a manageable level.

All things considered -- and in trying to be reasonable -- I have found that performing penetration tests every quarter works well. Some people do it every six months or just once per year. Some higher-risk organizations such as financial services companies and defense contractors actually do it in real time using automated tools. Again, it depends on a number of variables.

Above all else, you need to make sure you're doing the proper testing -- "penetration testing" in the purest sense is rarely enough. Neither are higher-level checklist audits. Relying on plain vanilla vulnerability scans is a surefire way to facilitate a breach. I prefer to focus on performing "security assessments" that look at all the right things rather than limiting your tests to whatever someone is asking you to do.

In the end, all systems and applications are fair game for attack. More important than how often you should test is the need for your business to ensure that it's performing its security tests effectively and consistently over time.

Ask the Expert!
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)

Next Steps

Check out SearchNetworking's penetration testing guide

Learn how to limit pen test risks by limiting the scope of the test

This was last published in January 2015

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments