Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Viewpoint: What if you can't afford pen-testing?

Pen Testing Pluses
While I agree with Bruce Schneier and Marcus Ranum on the lack of benefit in paying someone to do penetration testing (Face-Off, March 2007), I completely disagree that it doesn't have value if you have the expertise--or at least willingness, patience and time--to do it yourself. This is something they don't address.

I'm constantly doing pen testing in my network using several tools, and it's for several reasons:

  • Security and vulnerability assessment of critical applications and servers.
  • Penetration is not just for immediate patch needs. Pen testing shows me the flow of my environment and helps classify types of traffic.
  • By pen testing and understanding what I face now, I can better understand how to avoid those same things in the future.
  • Clarification of threats--while you should know your network, that is not always the case. There will always be something out there that either wasn't in your control, or isn't in your realm of expertise.
Defining threats and where to look for them on your network saves time for those who don't live and breathe patching.

Mark Stanford
CIO, Stanford Technology Group

Finding a Happy Medium
I read, with many smiles, your article ("Balancing Act," March 2007). I agree with most of it, but having been an auditor and led a number of security consulting practices, I would argue with the comments of Jerry Freese.

Though he is essentially correct--technical controls are not more infallible than organizational and operational controls--my disagreement may be more on how and when the technology is selected and used. I believe that without these controls, the technology may not provide a more secure environment.

One other point: I have seen few information security programs that don't require security status reporting back to senior management. For executives to understand what they are getting for their secu-rity investment, they need to be provided insight on what is working and where risks are within an organization.

With this element missing, security issues get stove-piped. While this approach may reduce risks for the issue in question, it does not move the organization toward a proactive, risk management-based approach to securing an organization.

Thomas C. Funk
Security practice director, Virteva

Send your e-mails to



Information Security magazine and will honor innovative security practitioners in seven vertical markets this fall with our annual Security Seven Awards. The awards, to be handed out this fall at the Information Security Decisions conference in Chicago and featured in the magazine's November issue, will recognize the efforts, achievements and contributions of practitioners in financial services, telecommunications, manufacturing, energy, government, education and health care.

While vendor executives are not eligible, we're inviting you to nominate your most innovative practitioners. Nominees must have made a noteworthy contribution to their organizations or the security community in areas including research, product development and standards.

Download the nomination form at and email it to
Nomination Deadline: July 2.

Article 7 of 19

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All