Penetration testing is the testing of computer systems and networks using hacker techniques. For many years authors have written texts in a succinct and easy to follow format on how you can conduct your own penetration testing. This has opened up the debate as to the importance of actually hiring a professional company to perform penetration tests – when there is so much information available for a company to perform these important tests on their own. The answer to that debate is largely dependent on how confident you are in the ability of your staff to perform penetration testing; but that is not the only thing that you should think about.
Securing a technology is far different from understanding how the technology works. While many of our clients are very tech savvy this does not necessarily mean that they understand how to break into a technology and what preventative steps to take to ensure that the system is secure. Knowing how to break into a system requires an individual to have an intimate understanding of every security aspect of the system and prior experience with the different technology configurations and options.
One known and accepted best practice is that people should not be the ones to test their own work. It is difficult for someone to conduct an objective evaluation of his own work. Not only that — if a person is able to find security problems in his work, then one has to wonder why he didn’t correct them during implementation. For this reason the person may be reluctant to admit having found a security issue in his own work after the implementation phase. Normally, a person is so immersed in the details of the project that it is difficult for him to step back and take a broader perspective.
There are situations where the team that deployed a system does not perform a penetration test on their own system, instead a different team within the organisation performs the test. This may prevent some of the problematic issues that may occur when a team is too close to a project and allow mistakes to be found. However, you are then faced with the question of experience. Who is likely to find the most vulnerabilities and know how to correct them? A team of individuals who conduct a penetration test a few times a year, or a company that has years of experience and perform hundreds of penetration tests each year? Clearly these are very different skill sets.
While performing your own penetration tests internally is highly encouraged, it is important that you engage professionals who can understand and provide remedial advice on any issues which may be identified during a penetration test, otherwise you may be providing yourself with a false sense of security
Sense of Security is a main provider of information security and risk management solutions. We are Australias premier penetration testing firm and trusted IT security advisor to many of the countries biggest organisations.