http://www.darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=224400589 By Keith Ferrell Special To Dark Reading Apr 16, 2010 Conducting penetration testing in-house rather than using an outside consultant is worth considering for reasons of both cost and security expertise -- but it's also a step not to be taken lightly. "The advantage of having in-house penetration testers is the focus they provide," says Chris Nickerson, founder of security firm Lares Consulting. "They're able to keep track of the latest exploits and vulnerabilities, constantly monitor systems, and practice and sharpen their skills. But in order to achieve those benefits, they have to be focused. " Nickerson points out that while some really large enterprises are fielding teams wholly dedicated to testing, for most companies pen tests are only part of the testers' responsibilities. "It's all too common to find penetration tests delayed or put off because the tester has too many other open tickets to deal with," he says. While even a part-time pen-test specialist on staff can be a step in the right direction, it can also be risky. "The variety of tools available for pen tests today is remarkable, and I pretty much applaud them all," he says. "Metasploit, Canvas, Core, Nessus, and others have spent a lot of time ensuring that installing their agents don't blow the boxes that are being tested. That's the default: Once the agent is installed and it's determined whether or not the exploit works, the agent is uninstalled." [...] ___________________________________________________________ Register now for HITBSecConf2010 - Dubai, the premier deep-knowledge network security event in the GCC, featuring keynote speakers John Viega and Matt Watchinski! http://conference.hitb.org/hitbsecconf2010dxb/Received on Sun Apr 18 2010 - 22:47:57 PDT
This archive was generated by hypermail 2.2.0 : Sun Apr 18 2010 - 22:52:33 PDT