Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Business justification for pentesting
From: "Steve Manzuik" <smanzuik () eeye com>
Date: Wed, 31 Aug 2005 13:42:41 -0700

1- i would like to briefly know how to quantify information 
assets. In other words, i hear a pentester say: if a hacker 
breaks in ur network, u will loose up to 40000$ for example. 
how can he come up with such figures?

This almost sounds like a scare tactic to me.  I have seen Pen-Tester's
pull numbers out of their backsides in an attempt to justify their over
priced rates.  This is a risk management thing not a pen-test thing.
Assets need to be classified, IP needs to be documented, and then a
qualified person could put a price tag on it.  But in reality this is
not exclusively connected to a pen-test and is more of a general task
that should be done as part of building a secure infrastructure.

2- are there any other means to justify pentesting for 
management except for $$$?

This depends on the organization.  If your organization has not given a
thought to their IT security then a pen-test is a bit of a waste of
time/budget because it will tell you what you already know -- your
security sucks.  That being said, if your organization has done what
they feel to be the right thing in creating a secure environment then a
pen-test is a good way to validate the money you have spend on various
security technologies.

Management can look at a pen-test as a bit of a report card on how their
various security initiatives have worked.  In some cases a pen-test can
even be used to validate the functionality of incident response plans
and detection technologies.
3- are there any official statistics, figures etc. for 
justifying pentesting. ther more official it is the better.

Not really.  In my opinion there are no statistics that cannot be proved
to be biased.  But I guess the CSI/FBI survey may help your purpose

Steve Manzuik
eEye Digital Security

http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner 
http://eEye.com/Iris - Network Traffic Analyzer 
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 

I read my email with Outlook
I read your email with Iris

Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]