How often should Penetration Testing, Vulnerability Testing and Application Security Testing be done?

Hi

My company has a new web based application that we wish to sell to other businesses. I have been asked the following questions by the Information Security Manager at a potential big new client:
"How often do you run Application Security Testing, Penetration testing & Vulnerability Testing?"

I am looking at maybe using something like Trend Micro's Deep Security. This solution offers some level of protection & monitoring 24x7, so how often should I run the potentially more aggressive tests that they are asking about? Would it be unrealistic to say something like "depending upon your exact requirements we usually run them every 1-3 months"?

Thanks for your help!
everycloudAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy PooleCommented:
You should really run it after you make updates to any of the following:
update to the SAAS itself
modification of the web server
modification of the database server
modification to the firewall/intrusion detection system
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sean JacksonInformation Security AnalystCommented:
Having a 24/7 monitoring solution is not a penetration test.

How often you conduct one is up to you and any regulations you are beholden to.  Typically I've seen penetration tests done annually. The application security test should be part of the penetration test, and a vulnerability test would be covered by the penetration test.  What I'm saying is, if you state (and actually do it) that you have external and internal penetration tests, covering applications as well, annually, you would be able to answer that question succinctly as "Annually", and easily meet what they're asking for.

1-3 months is VERY aggressive for a penetration test schedule.  Excessive, unless you've got national security data you need to protect.  IMHO.
0
Sean JacksonInformation Security AnalystCommented:
In reference to Randy's comment, I would not conduct a penetration test after those changes were made, but I would use a vulnerability scanner before you make the change (baseline), and then again after the change to see if any new vulnerabilities have presented themselves as a result of the change.
0
everycloudAuthor Commented:
Hi

Thank you for your helpful comments. My understanding is that a Vulnerability Test (VT) compares my instance with a database of known issues, whereas a Penetration Test (PT) "ignores" known issues and just tries to gain access any way that it can. The 24x7 monitoring just checks for realtime changes (logs, file integrity, etc) and doesn't do any proactive testing.

Sean, I think that you are saying to do a VT more often (around instance changes) and a PT less often. Is this because a PT is more time consuming and a drain on the instance's resources?

Thanks
0
Sean JacksonInformation Security AnalystCommented:
A different way of saying it would be a Vulnerability test is more like a scan.  A penetration test is a situation where a human is actually doing something proactively to assess the security of the network/application.

Yes, you've got it. A scan is (can be) automated, so it's easy to do.  A penetration test is more expensive, and requires scheduling, paperwork, communicating with multiple parties, etc.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.