Penetration testing is a well understood discipline of information security testing. Over the last decade scores of books have been written on the topic, many of which take you through the subject with step by step instructions for conducting penetration tests. So the question we often get asked as consultants is why should we hire an external party rather than conduct the testing in-house? The answer may depend on the skill set of your staff, but there are other factors to consider as well.

Securing a technology is far different from understanding how the technology works. While many of our clients are very tech savvy this does not necessarily mean that they understand how to break into a technology and what preventative steps to take to ensure that the system is secure. Knowing how to break into a system requires an individual to have an intimate understanding of every security aspect of the system and prior experience with the different technology configurations and options.

It is an established best practice that people should not audit their own work, but does this hold true for penetration testing your own systems? Often the internal staff doing the testing will have been involved in the original setup. It is difficult for a person to objectively review their own work. One could also argue that if a person was capable of finding security issues with their own work, then they should have corrected them at the time of implementation. Often a person is too immersed in the project that they are delivering to see the trees from the forest. Also, finding problems during a penetration test may be an acknowledgement that the work was not conducted properly in the first place ” something that not all staff will be willing to admit.

There are situations where the team that deployed a system does not perform a penetration test on their own system, instead a different team within the organisation performs the test. This may prevent some of the problematic issues that may occur when a team is too close to a project and allow mistakes to be found. However, you are then faced with the question of experience. Who is likely to find the most vulnerabilities and know how to correct them? A team of individuals who conduct a penetration test a few times a year, or a company that has years of experience and perform hundreds of penetration tests each year? Clearly these are very different skill sets.

While performing your own penetration tests internally is highly encouraged, it is important that you engage professionals who can understand and provide remedial advice on any issues which may be identified during a penetration test, otherwise you may be providing yourself with a false sense of security

Sense of Security is a leading provider of IT security and risk management solutions. We are Australias premier network and application penetration testing company, and trusted IT security advisor to many of the countries largest organisations.

Related posts:

1. Use Of Scada Penetration Testing To Remove Security Loopholes SCADA is an important innovation for the industrial world. It...
2. DNA Provides Legal Paternity Testing Today Most of us today take for granted that paternity testing...
3. DNA Testing: The Master Technique Also known in this field by other terms, such as...
4. Legal Paternity Test And Its Best Practices Do you have a question in mind whether or not...
5. Sense of Security Enters 2009 BRW Fast 100 The BRW Fast 100 is widely recognised as the definitive...

Related posts brought to you by Yet Another Related Posts Plugin.