We must understand and accept at the
outset that the situation is not the same as a decade ago, when this discipline
was booming. Today the security requirements of organizations demand a radical
change in penetration testing to provide them with a clear value.
This is what has changed:
·
Companies recognize the need for
minimum levels of security (no longer need to demonstrate that you do not apply
patches or other controls may suffer a serious incident).
·
Companies recognize that given enough
material, human and technical resources, the access to certain information or
system is virtually impossible to avoid (again, no longer need someone to
show).
·
Companies have found that conduct
thorough safety testing on a specific system gives more value to implement
basic security architecture that considers all critical components and risks
"relevant" for the business.
·
Companies and criminals also
understand that most security risks do not currently reside in technical
vulnerabilities, but in the processes and people.
·
Companies know that they no longer
need to hire specialists who only told they're very wrong (technically), and
that their problems are solved by implementing security controls expensive and
complex without considering the root problem (which usually is not technical).
·
Many companies with the help of Information Security
Company have
gained minimum level of security knowledge and experience that enable them to
demand quality of deliverables and reasonableness in projects and are
unimpressed by technicalities.
·
The automated vulnerability
assessments today are as complete and provide a level of analysis sufficient
depth for most companies, within a reasonable time (most cost-effective than
manual tests that can provide the experienced penetration testers).
·
Companies today value the confidence
that the degree of technical specialty (Most market specialists and have a
minimum acceptable level. Likewise, the "hackers" than before who
infiltrated networks or viruses or worms were programmed before rewarded and
recognized, today go to jail and are rejected by firms).
·
Standards such as PCI, which consider
traditional penetration testing as a prerequisite today are strongly criticized
by the high costs involved, compared to real improvements in security levels
that provide (cost - benefit).
·
Companies are promoting security
schemes based on analysis of their own risks, rather than the blind application
of "generic best practices."
The value of Penetration Testing
Previously it was common to say that
penetration testing systems complemented automated vulnerability analysis
(coverage width) to review in depth the most critical systems. But given
the changes mentioned above, penetration tests lose their value for many
companies, even giving all possible knowledge to specialists that perform.
Vulnerabilities supplement reviews through deeper technical analysis is
almost idle today, and this is perceived not only companies, but also
criminals.
However, there is an evolutionary
path for Penetration Testing Company to
provide security assessments to all organizations needed. And it makes
perfect sense. If we turn around us in our businesses and we begin to think
where to look for a common criminal to gain access to confidential information
or our systems, we realize that their first choice probably would not be the
technical way, but rather as bribery or social engineering.
Webimprints is an information
security company that provides penetration testing services to full
fill security needs. Posted by Webimprints.
No comments:
Post a Comment