Pen testing: How to ensure effective testing

• Article 11 of 33
• SC Magazine, August 2007
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

“Pen testing is like a safety net for us,” says Wayne Armstrong, head of information security at CPP. “It means we have another mechanism for identifying weaknesses that weren't identified during our change management process.”

The company performs annual pen tests, having decided as the result of a BS7799 certification project's gap analysis that it needed to find potential vulnerabilities. “The annual pen test we do is over and above any pen test we might do off the back of a project,” Armstrong explains. “If we think there's a risk of anything on our infrastructure being exposed as a result of a change we may pen test it as well.” Pen testing expenditure is built into both the annual budget and each project's budget.

CPP now uses ProCheckUp for pen testing. “I like the way they work. They use different technology,” Armstrong says. He believes that the company's use of an automated, artificial intelligence tool to perform the majority of tests provides an alternative view of vulnerabilities. Certainly, ProCheckUp's tool picked up a serious flaw in a legacy application - grave enough for the application to be turned off until the flaw was fixed - which previous pen testers had missed.

Once Armstrong receives a report from the pen tester, he has to decide which problems are important enough to spend time and money fixing and which are unlikely to cause problems. With most of CPP's systems created by an internal development team, pen testing also provides an insight into where security flaws can arise.

Armstrong plans to continue using ProCheckUp for the foreseeable future, although he doesn't rule out a change at some point in the future. His advice to others? “If you're going to hire a pen tester, use somebody with a reputation you can rely on.”

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages