To welcome in a new year, trundle on over to read a recent post by Valsmith on how “penetration testing is rapidly becoming obsolete” (and read the great comments). Yes, this topic has come up in various forms the past few years, but too often those claims are made by analysts or people who aren’t actually doing the tests. Or if they are, what they’re really saying is, “Pen testing is changing from how we knew it.” I think Val’s post is more coherent than most.
I’d ramble on more about it, but it’s all been said before! I will just say that there is still going to be a market for people who can parse the security results and go the extra mile to produce real value, inclusive of pen testing. If you think IT/Ops can interpret and handle even today’s automated scanners and log managers and tools and vuln scanners web app firewalls and DLP auditing…you’re not living their reality. That sort of approach is usually called, “lip service” or compliance-oriented security. Seriously, how many auditors still miss the obvious things or get famboozled when confronted with too much technical smoke and mirrors?