IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Penetration testing: an enterprise guide

Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?

Ask the right questions

Every enterprise should be asking the right questions of the pen testing service during the initial sourcing process. Kevin Foster, business development manager, testing services, with MTI Technology, put together this essential 'top 10' list for IT Pro readers:

1.     Are you members of the CESG CHECK and CREST schemes?

2.     What other security testing accreditations does your firm hold?

3.     What are your tester's credentials / backgrounds?

4.     How many years have your consultants been conducting pen testing?

5.     Do you adhere to standard penetration testing methodologies such as OSSTM for network/servers and OWASP for web applications?

6.     Please provide real-world examples of where your manual penetration testing adds value over what can be found with automated vulnerabilities analysis tools only.

7.     Do you look after your own vulnerability research and tool developments?

8.     Can I see the CVs of the testers that will be working on my test?

9.     Can I speak to three references from my industry sector who are happy with the work you have delivered?

10. Show me your insurance certificates to cover Professional Indemnity, Employers' Liability, Public Liability

Enterprise, test yourself?

But what about adopting a DIY approach? Can the enterprise pen test itself, or is DIY pen testing never a good idea? Edd Hardy, head of security practice with CNS Hut3, thinks the subject of whether an enterprise can, or should, be pen testing itself is an interesting one. "Everyone should be doing some security testing," Hardy says. "IT and security staff should be doing basic checks, looking for the obvious and avoidable issues like default password. However, one of the key points of a pen test is that it is independent."

In other words, people should not be marking their own homework. So while enterprises can, and do, pen test themselves, it's important to add the caveat that the skills sets need to be there. "Penetration testing requires a unique set of skills that are hard to find," Daniel reminds us. "It's not as simple as understanding how to use a particular tool set but having an expert knowledge of systems, protocols, applications and programming/scripting at a very intimate level."

Sometimes, then, the best approach can be to blend the two together: have your own staff perform regular penetration testing and then engage a specialist security service provider to perform one on a less regular basis in order to audit the effectiveness of the in-house testing.

The legal perspective

What is the legal position with regards to pen testing from the perspective of both the tester and the business being tested? Is there a standard pen test contract which covers legal liability (or exclusion from the same) or should these be tailored on an individual enterprise basis? "Terms and conditions should certainly be written up that protect both the penetration testing company and their customers," Marios Kyriacou, head of security testing at Integralis, told IT pro. "Carefully written up scopes that set boundaries are very important and will help to limit any potential damage."

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
UK water supplier confirms hack by Cl0p ransomware gang

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022