Recently I’ve noticed that a longstanding trend in security attestation is taking on a new twist.
For some time, CPA firms, qualified security assessors (QSAs) and similar entities that focus on security attestation have been including penetration testing as part of their attestation work. I believe that you can make a strong argument for this as a means of substantiating the net effectiveness of the security controls. (A more cynical person might also add that penetration testing in this context is also a means for the attestation firm to increase its revenue.)
The new trend we’re seeing is organizations conducting “preparatory” application and/or network penetration tests in advance of the penetration testing being performed by the attestation firm. They’re doing this to preemptively find and fix vulnerabilities, thus helping to ensure that their SOC1, SOC2 or PCI Report on Compliance ends up “clean.” The business seeking compliance doesn’t want the attestation firm to include “bad” pen test results in the reports it issues.
This trend is extending into other areas of security assessment as well. For example, we recently conducted a firewall rule base configuration assignment in a very compressed timeframe because an SOC2 auditor had requested a copy of the client’s firewall configuration. Their desire to proactively address any problems reflected a similar concern.
I “get” this from a business perspective, and can see that it’s an unavoidable byproduct of the “demonstrable security and compliance” competitive environment that many organizations are living in. Heck, selfishly this is a positive trend for Pivot Point’s penetration testing practices.
But the security practitioner in me shudders at this intense focus on a clean report as “the destination”—as opposed to ongoing monitoring as “the process” that will keep companies from having to endure an “Ashley Madison moment.” This is especially important given that funds spent on what is effectively redundant penetration testing could potentially be used for some higher-value security initiative.