subject: Increasing the Frequency of Penetration Testing Makes Sense [print this page] Largely, penetration testing is an important and acceptable way of reducing the risk related to technology security issues. Penetration test hypothesis imagines that if the tester 'puts themselves in the mind of the computer hackers,' then the person testing the system will use skills and procedures such as a hacker might use. It is unlikely that a computer hacker would ever write a detailed report of the security breach, but that is just what the security penetrator will do. Detailed accounts of the security infringement, as well as corrective actions to put into force, are provided to the tested organization.
There are accepted standards and directives for using penetration testing. Requirement 11.3 of the PCI DSS calls for annual internal and external penetration testing within organizations. These trials should include network and application layer penetration testing. Section 15.2.2., shows other requirements to include the use of routine penetration testing; i.e., ISO 27001 would be used in checking for technical compliance.
In order to determine how often the penetration tests should be completed, we will look at the overall representation of current risk. In 2008, the Trend and Risk Report by IBM's X-force showed more than seven thousand exposed threats. It showed a substantial increase in the level of complexity and that the assaults have become more refined. Half of all recognized vulnerabilities are within web applications. Moreover, it shows how easily a hacker could execute security threats without being on site.
Currently, most organizations complete assessments annually for approximately two weeks. As you can see, that leaves the organization unprotected the other fifty weeks. With this in mind, it is no longer acceptable for most organizations to use yearly penetration testing as its only means of checking for vulnerability.
PCI DSS in requirement 11.2 has updated its standards to reflect that an organization should be performing tests four times per year, and quickly repairing any recognized concerns. As a mandatory standard, this is a quite modern and advanced train of logic.
Approaching and managing vulnerabilities should be an ongoing process. An enterprising approach should include the identification, prioritization, and assessment of assets, tools for repair or remedy, and final verification. It would be beneficial to implement automated, consistent, repeat testing to corroborate security practices, replacing patch and configuration management. Continued penetration testing, with a frequency of at least annually, should also be retained due to its more concentrated and focused approach to risk management.
Many issues are to be considered when deciding on the number of vulnerability scans you will use with your systems. Take into consideration the size of the setting, how much risk is tolerable, how many members are on your team, whether you have the ability to repair identified problems in a reasonably short time, and industry standards. Keep in mind how crucial it is to repeat the testing at regular intervals to increase your security image. After all, everyone wants to know if there is a breach in his or her security before someone else finds it first.
Increasing the Frequency of Penetration Testing Makes Sense
