By Kelly Jackson Higgins
Nov 18, 2009
Penetration testing, once considered a risky practice for the enterprise
and even a tool for evil hacking purposes, is becoming more of an
accepted mainstream process in the enterprise mainly due to compliance
requirements and more automated, user-friendly tools -- and most
recently, the imminent arrival of a commercial offering based on the
popular open-source Metasploit tool.
Rapid7's purchase of the Metasploit Project last month and its hiring of
the renowned creator of Metasploit, HD Moore, demonstrate just how far
penetration testing has come over the past 18 months, security analysts
say. While some organizations still confuse penetration testing with the
more pervasive vulnerability scanning, which searches for and pinpoints
specific vulnerabilities and weaknesses, penetration testing is finally
about to enter a new phase of commercial deployment, experts say.
Penetration testing basically puts the tester in the shoes of a would-be
attacker, using exploits and attack combinations against a network or
application to find where the actual exploitable weaknesses lie.
"This is an exciting time because we're starting see even the edgy
[penetration testing providers] look to the enterprise as a viable
market," says Nick Selby, managing director of Trident Risk Management,
a Dallas-based security and consultancy firm. "The technology is more
mature so that the more experienced and skilled penetration testers have
better toolsets than ever ... and the less experienced ones can do more
of the low-hanging fruit work."
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News