Posted by John Verry on Fri, Jul 16, 2010 @ 10:51 AM
My mother always used to say “you should never discuss religion or politics with others”. As I’m not very knowledgeable in either, nor do they appeal to me very much, it’s been pretty easy to comply with mom’s guidance.
Over the last few weeks I’ve learned that there is one more item to add to that list – “Penetration Testing”. I wrote a blog on Penetration Testing that was intended to stimulate discussion. The hope was that it would move the conversation forward on an industry subject that sorely needs open and candid conversation that can inch us towards a more standard definition of the same. Instead, what I got was highly negative feedback that was delivered with a fervor reminiscent of a religious zealot. The more rationally I attempted to explain my position the more irrational the response – finally I gave up. My argument was pretty simple – scale the test to ensure that the testing activities are proportional to the risks the client is looking to validate; that is, controlled to an acceptable level.
While I understand the value of a black-box penetration test, ongoing vulnerability research, and writing custom exploit code, I find it remarkable that there are practitioners that insist that unless a test includes the same – that it is not a penetration test. To suggest that the right penetration test for the CIA is the same as the right penetration test for a widget manufacturer, ignores basic risk assessment principles. The cost of the control should not exceed the cost of the risk it mitigates. Where a compromised server at a widget manufacturer may be a mildly business impacting nuisance - a compromised server at the CIA may result in thousands of lost lives. Clearly, the extent and rigor of the testing for the CIA should exceed that of the widget manufacturer. I have yet to meet the widget manufacturer who wants to protect himself from custom written exploit code – it’s a risk that they are simply willing to accept.
I have been following a similar debate on another blog this week that I think is interesting and illustrates my point. And no …. I am not either of the folks in the conversation :>)
Posted by John Verry on Mon, Jul 12, 2010 @ 02:47 PM
Have noted a gradual and interesting change over the last few years. Our security assessment “read-out” meetings where we discuss our findings in detail with the client have gradually become more strategic in nature. We still spend quite a bit of time talking about the more tactical elements of risk mitigation (e.g., what configuration changes need to be made, what patches need to be deployed, what coding changes need to happen) however, we are now spending more time discussing the root cause of the issues and what upstream changes are necessary to reduce the likelihood that the identified problems re-appear.
Even more interesting to me is that we are having conversations even further up the tactical/strategic continuum at initial meetings with our clients. The momentum around ISO-27001 is remarkable. There is a much smaller, but still notable buzz around OWASP as well. Clearly, information insecurity is evolving.
Personally, I’m excited by the change. To me it represents a very significant inflection point – one where we stop looking for technical “silver bullets” to our pain points and we begin apply a more structured methodical system to being secure and proving we are compliant. Leveraging the most open and trusted standards possible – especially those that are well vetted and widely recognized is common sense.
There are many implications to this shift up the continuum, I’m optimistic that the most notable will be that the process will become simpler resulting in a significant improvement in security postures.