.

The Death of Penetration Testing by Brian Chess in InfoSecurity Magazine

<<

larryedwardpotter

User avatar

Newbie
Newbie

Posts: 2

Joined: Wed Oct 15, 2008 11:23 am

Post Tue Mar 03, 2009 10:56 am

The Death of Penetration Testing by Brian Chess in InfoSecurity Magazine

In Brian Chess's column in the back of the January/February issue of InFoSecurity Magazine (but not the online version - http://www.infosecurity-us.com), he claims that "2009 will see the death of pen testing as we know, and love, it."  He gives a few good arguments as to why pen testing in on the verge of an evolutionary metamorphosis that will make it “less distinct but more pervasive."  He further predicts that pen testing will "get wrapped into a much lager and far more comprehensive approach to improving security." 

I don't necessarily think this transformation will occur in 2009, but with our new president’s focus on a federal role in IT security and the other preverbal dominos starting to line up, it is inevitable that pen testing as it gets tied closer to business processes will play a pervasive role in a holistic approach to security management.
CISSP, CISM, C|EH, GPEN, MCNE, MCSA
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Mar 03, 2009 11:12 am

Re: The Death of Penetration Testing by Brian Chess in InfoSecurity Magazine

I can definitely see that.  I don't work for a purely infosec company.  We do more forensics than anything.  When we do pen testing, it's almost always as part of a larger sec audit (ISO17799, etc).  If we are doing an audit, it's usually because we were hired to do forensics in response to an incident.  Their problems are usually more procedural than technical.  (Not they don't have technical.)  If IT department goes rogue, the preventative methods are usually more procedural. 
~~~~~~~~~~~~~~
Ketchup
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Tue Mar 03, 2009 11:18 am

Re: The Death of Penetration Testing by Brian Chess in InfoSecurity Magazine

this sentiment has been arround for a while.  although we all love attacking stuff, it doesn't necessarily prove anything unless there's a more comprehensive approach.

Justin has a great blogpost here explaining why he thinks pen-tests are bullshit.  quite good.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue Mar 03, 2009 5:39 pm

Re: The Death of Penetration Testing by Brian Chess in InfoSecurity Magazine

Well, if you use the extremely limited and narrow description of the term pent tester as just someone trying to exploit a box, then I would agree. 
<<

LSOChris

Post Fri Mar 06, 2009 9:03 pm

Re: The Death of Penetration Testing by Brian Chess in InfoSecurity Magazine

if you also sell source code auditing software you may feel that way too.

Return to /root

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software