Solved

How often should Penetration Testing, Vulnerability Testing and Application Security Testing be done?

Posted on 2014-09-05
5
627 Views
Last Modified: 2014-09-15
Hi

My company has a new web based application that we wish to sell to other businesses. I have been asked the following questions by the Information Security Manager at a potential big new client:
"How often do you run Application Security Testing, Penetration testing & Vulnerability Testing?"

I am looking at maybe using something like Trend Micro's Deep Security. This solution offers some level of protection & monitoring 24x7, so how often should I run the potentially more aggressive tests that they are asking about? Would it be unrealistic to say something like "depending upon your exact requirements we usually run them every 1-3 months"?

Thanks for your help!
0
Comment
Question by:everycloud
  • 3
5 Comments
 
LVL 21

Accepted Solution

by:
Randy Poole earned 125 total points
ID: 40306295
You should really run it after you make updates to any of the following:
update to the SAAS itself
modification of the web server
modification of the database server
modification to the firewall/intrusion detection system
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40306329
Having a 24/7 monitoring solution is not a penetration test.

How often you conduct one is up to you and any regulations you are beholden to.  Typically I've seen penetration tests done annually. The application security test should be part of the penetration test, and a vulnerability test would be covered by the penetration test.  What I'm saying is, if you state (and actually do it) that you have external and internal penetration tests, covering applications as well, annually, you would be able to answer that question succinctly as "Annually", and easily meet what they're asking for.

1-3 months is VERY aggressive for a penetration test schedule.  Excessive, unless you've got national security data you need to protect.  IMHO.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40306332
In reference to Randy's comment, I would not conduct a penetration test after those changes were made, but I would use a vulnerability scanner before you make the change (baseline), and then again after the change to see if any new vulnerabilities have presented themselves as a result of the change.
0
 

Author Comment

by:everycloud
ID: 40309609
Hi

Thank you for your helpful comments. My understanding is that a Vulnerability Test (VT) compares my instance with a database of known issues, whereas a Penetration Test (PT) "ignores" known issues and just tries to gain access any way that it can. The 24x7 monitoring just checks for realtime changes (logs, file integrity, etc) and doesn't do any proactive testing.

Sean, I think that you are saying to do a VT more often (around instance changes) and a PT less often. Is this because a PT is more time consuming and a drain on the instance's resources?

Thanks
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40309990
A different way of saying it would be a Vulnerability test is more like a scan.  A penetration test is a situation where a human is actually doing something proactively to assess the security of the network/application.

Yes, you've got it. A scan is (can be) automated, so it's easy to do.  A penetration test is more expensive, and requires scheduling, paperwork, communicating with multiple parties, etc.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question