Pen-Testing to CSO: The Rumors of My Death Have Been Greatly Exaggerated

Posted by in Analysis on Dec 10, 2008

You probably already know this, but I love it when people try to predict the future. Seriously, it’s great. The reason I love these so much is for two reasons: #1) they succinctly capture the “zeitgeist” (like a snow-globe of the industry) and #2) because they’re usually wrong – but in being wrong, they still make us think.

For example, remember these:

- McAfee predicts 2006 to be the “Year of Phone Malware”
- Gartner declares “Death of IDS”
- Websense predicts VOIP Phishing (Vishing)

These were all way off the mark of what actually happened in the years they were predicted, but still great because they’re probably going to be right someday. In fact, that’s what I think makes a great prediction. Wrong today, but true enough that it’ll be true someday. For example, IDS isn’t dead yet… but it probably will be someday (or at least change so much that’ll be unrecognizable as IDS). Phone malware’s not a huge issue yet, but it could be at some point.

And I have to admit that this year I’ve been slightly bummed out. Bummed out because it’s December 11 already and there’s been a dearth of predictions. Where are all the swamis telling us how 2009 will go? But then I saw Bill Brenner’s CSO article where Brian Chess of Fortify predicted the death of pen testing in 2009. I love it.

Now, it won’t be true in 2009 in my opinion.

#1) PCI specifically requires an annual pen test (requirement 11.3). Since PCI isn’t going away in 2009, neither will pen testing.
#2) When I read a pen test report that doesn’t say “surprise, you’re running NT 4″, then I’ll agree it’s not needed.
#3) I don’t accept the assertion that better monitoring is a replacement for testing. (I.e. just because the sheep wear a bell doesn’t mean they won’t get lost.)

But look past 2009 and farther down the road? 2015? 2020? Well, I think I see his point. Maybe monitoring will get so good that we can intuit the results of a pen test without doing one. Maybe we can find out all we need to know about these systems without the need to plumb around and check it out. We’re not there yet, but that doesn’t mean we won’t get there. In the meantime though, it’s trust *and* verify.

Search
  • http://www.terminal23.net Michael Dickey

    I feel that the only way we can say pen-testing will go away, and I think this is part of your point above, is when technology stops changing so damned much that we know what is in our environment.

    Sadly, I don’t think we’ll ever collectively be able to catch up with technology change such that enterprise teams will either know all the assets and risks and threats or other technology can know it for them.

    I mean, hell, can I pen-test your house? Or that of your neighbors? I’ll still get results. And to business, I still think knowing those results has value (whereas to a home-owner, not necessarily).

TwitterRssFacebook