While the subject of penetration testing (pen testing) remains a topic of debate, Marco Slaviero, lead researcher at Thinkst Applied Research, believes this security method is intended to be a bit controversial just to get people or the organisation thinking about it.
According to Slaviero, if an organisation is thinking about securing or doing a penetration test and they do it every year and keep doing it every year ? the results come back but they keep on doing it every year ? that doesn't make sense.
Slaviero made the comments yesterday at ITWeb Security Summit 2016, at Vodacom World in Midrand, during a panel discussion debating the importance of penetration testing.
"The idea that pen testing is a mandatory part of all your security practices is incorrect. On the defence side there is a lot more stuff that can be done," he said.
Senior security analyst at Telspace Systems, Reino Mostert, said although he works for a pen testing company, there are some issues with pen testing "I see the things that can be done as result of pen testing like immediate action being implemented but I also get where people are coming from when they receive a 2 000 page report that they can't do much with."
I think pen testing should be looked at as a holistic approach, Mostert continued.
The thing for me like getting a 2 000 page report, if that's what you are getting out of your pen tester that stuff has to be automated, Slaviero noted.
"Spend money on automating that stuff. Don't hire a national pen test firm to give you a 2 000 page report that should be part of your operations they should be able to handle scams or vulnerability information as its coming in. If that's what your pen test is, you're wasting your money on that type of service.
"I think pen tests have value but they have value at the point where all the other stuff is in line. They are not there to eliminate vulnerabilities; you are wasting your money if that is what you think," explained Slaviero.
In terms of engagement over the years there has been evidence of the value and effectiveness of penetration testing as a means of defence, according to Dino Covotsos, director at Telespace Systems.
Covotsos reiterated that when it comes to defence services a holistic approach needs to be adopted. "Pen testing is definitely something that has to happen. The need for pen testing is something that will be around for the indefinite future.
"Now more than ever people are quite keen to get pen tests, saying we need to get our networks tested."
"One of the really interesting things we are seeing is goal oriented pen testing where a pen test must achieve specific goals," Covotsos concluded.
Share