Solved

How often should Penetration Testing, Vulnerability Testing and Application Security Testing be done?

Posted on 2014-09-05
5
664 Views
Last Modified: 2014-09-15
Hi

My company has a new web based application that we wish to sell to other businesses. I have been asked the following questions by the Information Security Manager at a potential big new client:
"How often do you run Application Security Testing, Penetration testing & Vulnerability Testing?"

I am looking at maybe using something like Trend Micro's Deep Security. This solution offers some level of protection & monitoring 24x7, so how often should I run the potentially more aggressive tests that they are asking about? Would it be unrealistic to say something like "depending upon your exact requirements we usually run them every 1-3 months"?

Thanks for your help!
0
Comment
Question by:everycloud
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 21

Accepted Solution

by:
Randy Poole earned 125 total points
ID: 40306295
You should really run it after you make updates to any of the following:
update to the SAAS itself
modification of the web server
modification of the database server
modification to the firewall/intrusion detection system
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40306329
Having a 24/7 monitoring solution is not a penetration test.

How often you conduct one is up to you and any regulations you are beholden to.  Typically I've seen penetration tests done annually. The application security test should be part of the penetration test, and a vulnerability test would be covered by the penetration test.  What I'm saying is, if you state (and actually do it) that you have external and internal penetration tests, covering applications as well, annually, you would be able to answer that question succinctly as "Annually", and easily meet what they're asking for.

1-3 months is VERY aggressive for a penetration test schedule.  Excessive, unless you've got national security data you need to protect.  IMHO.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40306332
In reference to Randy's comment, I would not conduct a penetration test after those changes were made, but I would use a vulnerability scanner before you make the change (baseline), and then again after the change to see if any new vulnerabilities have presented themselves as a result of the change.
0
 

Author Comment

by:everycloud
ID: 40309609
Hi

Thank you for your helpful comments. My understanding is that a Vulnerability Test (VT) compares my instance with a database of known issues, whereas a Penetration Test (PT) "ignores" known issues and just tries to gain access any way that it can. The 24x7 monitoring just checks for realtime changes (logs, file integrity, etc) and doesn't do any proactive testing.

Sean, I think that you are saying to do a VT more often (around instance changes) and a PT less often. Is this because a PT is more time consuming and a drain on the instance's resources?

Thanks
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40309990
A different way of saying it would be a Vulnerability test is more like a scan.  A penetration test is a situation where a human is actually doing something proactively to assess the security of the network/application.

Yes, you've got it. A scan is (can be) automated, so it's easy to do.  A penetration test is more expensive, and requires scheduling, paperwork, communicating with multiple parties, etc.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question