I’m finally getting around to reading the NetworkWorld article that cited Fortify Software Inc. co-founder Brian Chess as essentially saying that penetration testing as we know it today is dying/dead. The article further states, “Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.”
Talk about confusing!
I think the assertion is correct that customers want preventative tools. I want preventative tools wherever possible. But I think there are three incorrect assumptions here. First, that preventative tools can possibly prevent or even anticipate every potential hole (or even most of them!). Second, that preventative tools are something more than just a band-aid on other issues. Third, that companies know all their weaknesses already.
The article (and Mr. Chess) make it sound like the security buck stops at “preventative tools.”
There is value in preventing issues, but there is no way penetration testing is going away or even beginning to die or dwindle for many years. Too many corporations still thirst for knowledge on their security stances and weaknesses, or for more leverage to higher-ups for budgets or project direction.
Prevention, detection, testing…these and more are all parts of a solid security posture. No one trumps the others, nor does one lag behind as dying or even changing.
Here are a couple statements on my view of pen-testing.
If you have little existing security, pen-testing helps give direction and information on where to make improvements.
If you have a security plan in place, pen-testing helps give third-party validation to the results, while also potentially exposing weaknesses that were overlooked (the more eyes that read this post, the more we can say all the typos were caught!).