Late last year SANS conducted a survey on application security practices in enterprises. One of the questions asked in the survey was how often organizations are doing security testing. The responses were: No security testing policy for critical apps: 13.5% Only when applications are updated, patched or changed: 21.3% Annually: 14.3% Every 3 months: 18.0% … Continue reading Security Testing: Less, but More Often can make a Big Difference
Penetration testing is one of the bulwarks of an application security program: get an expert tester to simulate an attack on your system, and see if they can hack their way in. But how effective is application penetration testing, and what should you expect from it? Gary McGraw in Software Security: Building Security In says … Continue reading What's the point of application pen testing?
[Cross posted from SANS ISC] Penetration tests and vulnerability assessments are becoming more common across the whole industry as organizations found that it is necessary to prove a certain level of security for infrastructure/application. The need to exchange test result information is also increasing substantially. External parties ranging from business partners, clients to regulators may … Continue reading Exchanging and sharing of assessment results
The person I had the IM discussion with was Daniel Miessler. He responded in his own blog, and sent me the excerpt below as a response. Thanks for the offline and online comments to far. Certainly an interesting topic to discus!
Is a pentest done after you got root? Or is this just the start of finding even more vulnerabilities? In my opinion, a pentest should aim at finding as many vulnerabilities as possible.