| Should You Conduct Penetration Testing In-House? |
View Comments
| Computers - Computers |
| Written by Peter Maddocks |
| Wednesday, 16 September 2009 08:19 |
|
Penetration testing is a thoroughly understood field within information security. Dozens of books have been written on the subject in the last ten years, many containing detailed instructions for the steps involved in conducting a penetration test. So it is natural that we as consultants get asked the question, "Why should we pay a third party instead of conducting our own testing in-house?" The answer depends in part on your staff's skill set, but there are some other relevant factors as well.
Penetration testing is a thoroughly understood field within information security. Dozens of books have been written on the subject in the last ten years, many containing detailed instructions for the steps involved in conducting a penetration test. So it is natural that we as consultants get asked the question, "Why should we pay a third party instead of conducting our own testing in-house?" The answer depends in part on your staff's skill set, but there are some other relevant factors as well. Many of our clients have broad skills internally and some of them are experts in their specific technology fields. However, being an expert in the workings of a technology alone does not make you an expert in how to secure it. To know how to secure a product you need to know how to break it and then apply appropriate countermeasures. Learning how to break a technology requires experience within multiple complex enterprise environments to learn all the intricacies, permutations and implementation combinations. It is an established best practice that people should not audit their own work, but does this hold true for penetration testing your own systems? Often the internal staff doing the testing will have been involved in the original setup. It is difficult for a person to objectively review their own work. One could also argue that if a person was capable of finding security issues with their own work, then they should have corrected them at the time of implementation. Often a person is too immersed in the project that they are delivering to see the trees from the forest. Also, finding problems during a penetration test may be an acknowledgement that the work was not conducted properly in the first place " something that not all staff will be willing to admit. In some organisations the team conducting the penetration test may be independent of other teams involved with implementing the solution. So this may overcome the previous argument to some degree. However, it is difficult to compare the skills of a penetration testing company that conducts hundreds of penetration tests per year to an in-house team which conducts perhaps a few tests a year against mainly a static environment. There will be large differences in the breadth of skills, experience, and currency of attack techniques. While performing your own penetration tests internally is highly encouraged, it is important that you engage professionals who can understand and provide remedial advice on any issues which may be identified during a penetration test, otherwise you may be providing yourself with a false sense of security About the Author: Sense of Security is a leading provider of information security and risk management solutions. We are Australias premier penetration testing firm and trusted IT security advisor to many of the countries biggest organisations. |