Very interesting post over at Riskanalysis.is on penetration testing and what it may turn in to.
There’s some good reasons to do penetration testing in there and I’d agree that targeted testing to prove or disprove theories about the security environment is a smart way to use penetration testing. My feeling though is that, at the moment, only more mature security organisations will be in a good place to use it in that way.
For most companies there are other reasons why penetration testing is going to remain on the menu in its current form
- Compliance. Penetration testing seems to be getting commonly adopted as one of the “bullet points” that need to be completed to comply with industry or government regulations, probably most noticable by PCI
- Externally hosted applications. In situations when a company doesn’t have great visibility of an application that they’re entrusting valuable data to (eg, most outsourced application hosting setups) they need some way to get comfort that a reasonable level of security is being applied to that application. Usually that will involve a penetration test, especially if the application is exposed to a hostile envrioment (like the Internet!)
So whilst I’d definitely like to see smarter use of penetration tests, I don’t think that testing as it’s used currently is going to go out of fashion any time soon.