Solved

How often should Penetration Testing, Vulnerability Testing and Application Security Testing be done?

Posted on 2014-09-05
5
560 Views
Last Modified: 2014-09-15
Hi

My company has a new web based application that we wish to sell to other businesses. I have been asked the following questions by the Information Security Manager at a potential big new client:
"How often do you run Application Security Testing, Penetration testing & Vulnerability Testing?"

I am looking at maybe using something like Trend Micro's Deep Security. This solution offers some level of protection & monitoring 24x7, so how often should I run the potentially more aggressive tests that they are asking about? Would it be unrealistic to say something like "depending upon your exact requirements we usually run them every 1-3 months"?

Thanks for your help!
0
Comment
Question by:everycloud
  • 3
5 Comments
 
LVL 21

Accepted Solution

by:
Randy Poole earned 125 total points
Comment Utility
You should really run it after you make updates to any of the following:
update to the SAAS itself
modification of the web server
modification of the database server
modification to the firewall/intrusion detection system
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
Comment Utility
Having a 24/7 monitoring solution is not a penetration test.

How often you conduct one is up to you and any regulations you are beholden to.  Typically I've seen penetration tests done annually. The application security test should be part of the penetration test, and a vulnerability test would be covered by the penetration test.  What I'm saying is, if you state (and actually do it) that you have external and internal penetration tests, covering applications as well, annually, you would be able to answer that question succinctly as "Annually", and easily meet what they're asking for.

1-3 months is VERY aggressive for a penetration test schedule.  Excessive, unless you've got national security data you need to protect.  IMHO.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
Comment Utility
In reference to Randy's comment, I would not conduct a penetration test after those changes were made, but I would use a vulnerability scanner before you make the change (baseline), and then again after the change to see if any new vulnerabilities have presented themselves as a result of the change.
0
 

Author Comment

by:everycloud
Comment Utility
Hi

Thank you for your helpful comments. My understanding is that a Vulnerability Test (VT) compares my instance with a database of known issues, whereas a Penetration Test (PT) "ignores" known issues and just tries to gain access any way that it can. The 24x7 monitoring just checks for realtime changes (logs, file integrity, etc) and doesn't do any proactive testing.

Sean, I think that you are saying to do a VT more often (around instance changes) and a PT less often. Is this because a PT is more time consuming and a drain on the instance's resources?

Thanks
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
Comment Utility
A different way of saying it would be a Vulnerability test is more like a scan.  A penetration test is a situation where a human is actually doing something proactively to assess the security of the network/application.

Yes, you've got it. A scan is (can be) automated, so it's easy to do.  A penetration test is more expensive, and requires scheduling, paperwork, communicating with multiple parties, etc.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now