Monthly newsletter Weekly news roundup Breaking news notification    

Penetration testing is dead; long live penetration testing

Get free weekly news by e-mailBrian Chess, co-founder and chief scientist of Fortify Software Inc.

My colleagues, Gary McGraw and Sammy Migues, and I interviewed executives at some of the world’s top software security programs in 2008. These discussions were truly enlightening, revealing some interesting ideas, and we’re in the process of using the data collected to build a maturity model. However, one insight was just too good to wait …

At the end of last year I openly declared my belief that 2009 will see the death of penetration testing as we know, and love, it. No, I hadn’t had too much sherry during the festive period – neither in the cold light of New Year have I had a change of heart. I would, however, like to clarify what some have construed as the inane ramblings of a madman. Let me start by saying that penetration testers are not suddenly going to disappear off the face of the earth this year. Instead, we will see the practice undergo a transformation and be reborn as part of a tightly integrated approach to security.

Why the need to evolve
I believe it to be universally true that if you’re not paying attention to security, then you have security problems and for this very reason penetration testing has been able to firmly establish its position in software security. Historically, many organizations have written code that they recognise will be insecure and, once complete, their first action is to deploy penetration testing to prove this premise, paying for the privilege! Am I the only one to see the futility of this exercise? Not anymore.

I was not surprised that every one of the programs we talked to back in 2008 practiced penetration testing (most using external firms) at one time or another. After all, there's nothing like a smoking hot pen testing report to get an organization to admit it has a problem. However, as activities earlier in the SDLC are adopted, penetration testing begins to lose some of its lustre. We found evidence that the role of penetration testing lessens (but does not go to zero) as an organization gets a handle on the software security problem. So here’s the eureka moment: as organizations get better at software security in the first instance, so their emphasis on penetration testing to look for the holes that they know exist diminishes.

Pen testing will get wrapped into a much larger and far more comprehensive approach to improving security. The best initiatives balance the yin and the yang of attack and defence.

2008 saw us pass an inflection point.
People are now spending more money on getting code right in the first place than they are on proving it’s wrong. However, this doesn’t signal the end of the road for penetration testing, nor should it, but it does change things. Rather than being a standalone ‘product’, it’s going to be more like a product feature. Penetration testing is going to cease being an end unto itself and re-emerge as part of a more comprehensive security solution.

This kind of thing happens all the time in high-tech. The first PC spell checkers were standalone programs, but the market for stand-alone spell checkers died when they became a standard part of any word processor. These days spell checkers are everywhere (even in my IDE), but there is no market for a standalone spell checker. Proof positive: there aren’t even any Web 2.0 or iPhone spell checker startups!

So why now?
Alright, so why 2009? The time is right because back in 2007, IBM bought a company named WatchFire and HP bought a company named SPI Dynamics. The acquired companies both made web application penetration testing products. IBM and HP spent serious money for these companies - not crazy dotcom prices, but even at HP and IBM you have to tell a good story before you get to spend upwards of seventy million dollars. The good story was that the acquired technology would work together with other products and services to fuel a broad entrée into a rapidly growing software security market. It takes a little while to digest any acquisition, but by now it’s been long enough. 2009 will be the year this strategy comes together, and when we look back, it will be the year when most of the world began thinking about penetration testing as part of a larger offering.

There will always be boutique security consulting companies with funny names and exotic services, but the industry will grow by integrating security yin and yang. If you’d like a sneak preview of what the future holds, check out the work White Hat Security has done to integrate their vulnerability measurement service with Web application firewalls. This is attack and defence working together in a creative new way.

Evolve or die
More than ever before, people understand the software security challenge, and penetration testing deserves credit for helping spread the word. But knowing a security problem exists is not the same as knowing how to fix it. In other words, penetration testing is good for finding the problem but doesn’t help in finding the solution – and that’s why it must take a long hard look at itself and then make a change. Just like the venerable spell checker, it’s going to die and come back in a less distinct but more pervasive form and I, for one, can’t wait.

www.fortify.com

•Date: 27th January 2009• Region: UK •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here




Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help