From: James Kelly (macubergeek@comcast.net)
Date: Mon Sep 03 2007 - 09:12:27 EDT
Fortunately or unfortunately pen testing seems to be the ONLY
external security validation many organizations have.
You can't trust that to the IT staff (sys admins) who have a vested
interest in status quo.
Many firms may have a CISO, but that person is largely a security
policy person, not a technical security person (in most cases).
Additionally you have to separate out legal compliance issues from
pure security issues.
When you consider all the above, the pen tester acts in a quasi
auditing role in many instances. Given that, pen testing can be
valuable within the limits of the budget.
Jk
On Aug 31, 2007, at 10:29 AM, Paul Melson wrote:
> Nikos Tsagarakis wrote:
>
>> I do not believe that penetration testing is a waste of money.
>>
>
> Of course you don't, you're a pen tester! And lots of customers don't
> believe it's a waste of money, either. But for those that have
> invested in
> pen-testing, they do it with the expectation that you'll find and
> report the
> holes to them before the bad guys do. And when a company spends on
> pen-testing and gets hacked anyway, it's pretty hard to convince
> them of the
> value of those pen tests.
>
> PaulM
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:05 EDT