Penetration Testing (or Pentesting) are legal audits where hackers perform testing, breaking into systems as they are able in order to test the environments security.
Many audit firms push penetration testing services, and some compliance and regulatory bodies do too - such as PCI DSS.
Penetration Tests, or hacking results, are largely based on the timeframe AND skillset of the individual. There are not many, or should I say far too few, talented personnel for each company in the world to employ, therefor results will never be sufficient.
A second issue with Pentesting comes from the report or "list" it generates - the vast majority of companies take the report output and see it as a checklist - this is wrong!
The report should paint a big picture of what is wrong at a holistic level, or at least a path back to the root cause, inferring and extrapolating what other issues are likely to exist within the company.
In short, resources are better used for mean time to detect and mean time to contain.
Comments