Are penetration tests essential for enterprise network security?
How large of a role should penetration testing have in an enterprise network security strategy?
can provide valuable information on the state of your security defenses, but it's quite expensive. For a penetration test to have credibility, it usually must be performed by an independent, outside firm. If you use insiders and the tests demonstrate vulnerabilities, you'll hear criticisms that the testers must have taken advantage of their insider information and knowledge of the infrastructure in an attempt to swell security budgets. On the other hand, if the tests show that all's well, you'll be criticized for conducting a test that isn't thorough enough. That's certainly a catch-22 if I've ever seen one!
Due to the high cost of penetration testing, I usually recommend that mature security programs consider it. If you're currently building up your security infrastructure and lacking several major pieces, invest your budget there first. Otherwise, the penetration test will only uncover vulnerabilities that you're already aware of. On the other hand, if you deploy penetration testing to evaluate a fully implemented infrastructure, you might gain valuable insight on potential weaknesses.
More information:Michael Cobb provides tips on how to select a penetration tester.
Learn how to pen test a VPN.
This was first published in July 2007