mailing list archives
RE: Business justification for pentesting
From: "William Tarkington" <William.Tarkington () openwave com>
Date: Tue, 30 Aug 2005 12:22:50 -0700
Gartner is the major provider of information regarding this type of
stuff. If you aren't able to get access it's a crap shoot on the web.
It is true that recovering from an incident costs more than preventing
To get Pen-testing approved I generally use the fire sprinkler system
We've invested this money in our security now we use pen testing to
validate we have achieved what we invested our money for.
Or just because you install a sprinkler system doesn't mean you don't
test it once a year. Simply because the cost of not having it exceeds
the cost of testing and the same is true for pen testing.
From: sectraq () gmail com [mailto:sectraq () gmail com]
Sent: Tuesday, August 30, 2005 9:30 AM
To: pen-test () securityfocus com
Subject: Business justification for pentesting
a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such
2- are there any other means to justify pentesting for management except
3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.
4- any other information you guys might find helpful in justifying a
pentest would be appriciated.
thnx in advance for ur help.