Taking Penetration Testing In-House

Taking Penetration Testing In-House
Taking Penetration Testing In-House 

By Keith Ferrell
Special To Dark Reading
Apr 16, 2010 

Conducting penetration testing in-house rather than using an outside 
consultant is worth considering for reasons of both cost and security 
expertise -- but it's also a step not to be taken lightly.

"The advantage of having in-house penetration testers is the focus they 
provide," says Chris Nickerson, founder of security firm Lares 
Consulting. "They're able to keep track of the latest exploits and 
vulnerabilities, constantly monitor systems, and practice and sharpen 
their skills. But in order to achieve those benefits, they have to be 
focused. "

Nickerson points out that while some really large enterprises are 
fielding teams wholly dedicated to testing, for most companies pen tests 
are only part of the testers' responsibilities. "It's all too common to 
find penetration tests delayed or put off because the tester has too 
many other open tickets to deal with," he says.

While even a part-time pen-test specialist on staff can be a step in the 
right direction, it can also be risky. "The variety of tools available 
for pen tests today is remarkable, and I pretty much applaud them all," 
he says. "Metasploit, Canvas, Core, Nessus, and others have spent a lot 
of time ensuring that installing their agents don't blow the boxes that 
are being tested. That's the default: Once the agent is installed and 
it's determined whether or not the exploit works, the agent is 


Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 

Site design & layout copyright © 1986-2014 CodeGods