#ISC2Congress: Which Pen-Testing Approach is Right for Your Business?

Speaking during the virtual (ISC)2 Security Congress Alex Haynes, CISO at CDL, explored the various pen-testing approaches available to organizations and outlined how companies can determine which is the best option for their business use cases.

“The problem with pen-testing in the market is that there’s an ‘alphabet soup’ of terminology and it is very easy to get confused when there are all these marketing terms being thrown around.”

Essentially, there are three key approaches to pen-testing that organizations can implement, Haynes said.

The first is traditional pen-testing, defined as a “snapshot of your security posture at a particular point in time.”

The pros of traditional pen-testing methods include cost efficiency, flexibility and standardization. However, there are important inadequacies to consider when it comes to traditional pen-testing approaches, Haynes warned. These include the fact that they are infrequent, time-limited, lack diversity in approach and can invoke pen-tester syndrome (a focus on theoretical vulnerabilities that make things appear worse than they actually are).

The second approach to pen-testing open to organizations is the crowdsourced security option, Haynes continued. This involves “having more than one tester who has no affiliation [with your systems] looking for bugs and vulnerabilities on your systems and applications.”

A crowdsourced security pen-testing strategy offers some key benefits that traditional pen-test methods cannot, including higher frequency rates, unlimited time-scales and a more cost-effective business model (in the short run) in which researchers are only paid per vulnerability rather than taking a full salary.

However, as with traditional pen-testing approaches, crowdsourced strategies have th ..

Support the originator by clicking the read the rest link below.