Penetration testing: Security experts mention it all the time as one of the essential tools of defense-in-depth. Companies have raked in the dough selling the service and the tools for years.
But is it possible that penetration testing โ the art of probing company networks in search of exploitable security holes that can then be fixed โ is an idea whose time is about to expire?
If you ask Brian Chess, co-founder and chief scientist of business software assurance (BSA) vendor Fortify Software Inc., the answer is yes.
โDeath sounds rather gloomy, but stuff in high tech dies all the time,โ Chess said in an interview Tuesday. โDesktop publishing? Dead โ but not gone. Personal Digital Assistant (PDA)? Many of the concepts are still with us, but the PDA is dead.โ
Penetration testing is headed for a similar fate, he said. The concept as we know it is on its death bed, waiting to die and come back as something else. That doesnโt mean pen testers will suddenly be unemployed, he said. Itโs just that they โwonโt be as coolโ as theyโve been in more recent years.
Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.
โDeath doesnโt mean it goes away, it means it transforms. Pen testing will be reborn in the area of production monitoring and measurement,โ Chess said. โThe goal wonโt be that failure is found and must be fixed. The goal is that failures will become a much rarer event.โ
Naturally, security practitioners who swear by pen testing as a critical component of a layered security program are reacting to his hypothesis with more than a little skepticism.
Jennifer Jabbusch, CISO at Carolina Advanced Digital Inc. in the Raleigh-Durham area of North Carolina, took issue with Chessโ basic premise that penetration testing will become a component of monitoring and measuring.
โPen testing will continue,โ she said in an exchange over the Twitter social networking site. โMonitoring and measuring is not pen testing. Itโs what you do after pen testing.โ
She also faulted the example of desktop publishing being a dead art, saying, โDesktop publishing isnโt dead. In fact, itโs grown. Now you can design on your desktop and deliver via the Internet for printing at FedEx/ Kinkos.โ
Others agree penetration will continue, but donโt necessarily think Chessโ position is all that off the mark.