It is Probably your Communication
Automation Helps IT be a Valuable Business Partner
Has Your Test Automation Become A Big Ball Of Mess?
Transforming Software Testing Landscape
Top Reasons to Adopt Five Automated Testing
Mick Whittemore, VP of IT Enterprise Operations, Paychex [NASDAQ:PAYX]
Extending Automated Testing
Steve Berczuk, Software Developer and Team Lead, Fitbit
To Shift Left or to Shift Right? Continuous Testing is Everyone's...
Jeff Scheaffer, General Manager, Continuous Delivery, CA Technologies
Transforming Testing: A Recipe for Quality Engineering
Tariq King, Ph.D., Director of Quality Engineering, Ultimate Software
Thank you for Subscribing to CIO Applications Weekly Brief
Importance of Penetration Testing and Compliance Audits
Penetration testing or as some people call it security assurance is as a process of testing corporate networks, systems, and applications to find out if they are compromisable. A penetration tester’s job is to try and break into an organizations system. Penetration testing is a critical part of any security program. Attackers don’t discriminate between organizations, and they test their defense every day.
Pen-testers think like hackers, and they use the same tools and techniques. The only difference between a hacker and a pen-tester is that pen-testers are much more comprehensive in their testing of attack scenarios. Penetration testing is carried out by specialized and authorized organizations to help a firm identify potential security risks. If a pen-tester can steal valuable information from an enterprise than that means an attacker can do the same. The vulnerabilities found and covered by pen-testers ensure that attackers find it hard or impossible to hack the system because most of the weaknesses are already fixed.
Binding Compliance and Pen-Testing Together
Penetration testing is essential for organizations because PCI DSS, SOX and HIPAA require an annual penetration test from the third party. So far it is understood that pen-testing once a year is not nearly enough since an organization can be compliant today and compromised tomorrow. Pen testing in tandem with PCI requires scanning of networks; systems and applications so do HIPAA and GLBA. However, pen testing is not the same as the phrase vulnerability scanning.
Pen-testing generates a lot of valuable data as compared to the vulnerability scanner. A pen-test not only tests systems but also it tests people and tell security professionals the possibilities of what is compromisable. A pen-test is more detailed than a vulnerability scan. A scan shows that a device is vulnerable and warns security professionals about the problem. There are a lot of reasons why a vulnerable machine can’t be exploited, and a pen-test assures security pros that it can’t be because it can be behind two layers of firewall. These details can save an organization a lot of time and money.
Positioning pen-testing for compliance
An auditor needs convincing about the acceptance of a pen-test as opposed to a vulnerability scan. Positioning is critical for convincing an auditor. The security team must be in control of the process, and the auditor must know about it. The auditor needs actionable information which makes him more confident. If the auditor finds that everything is alright, the only conclusion he can drive is that things are OK. If there are open vulnerabilities, then the auditor’s decision might flinch.