How often should Penetration Testing, Vulnerability Testing and Application Security Testing be done?
Hi
My company has a new web based application that we wish to sell to other businesses. I have been asked the following questions by the Information Security Manager at a potential big new client:
"How often do you run Application Security Testing, Penetration testing & Vulnerability Testing?"
I am looking at maybe using something like Trend Micro's Deep Security. This solution offers some level of protection & monitoring 24x7, so how often should I run the potentially more aggressive tests that they are asking about? Would it be unrealistic to say something like "depending upon your exact requirements we usually run them every 1-3 months"?
Thanks for your help!
My company has a new web based application that we wish to sell to other businesses. I have been asked the following questions by the Information Security Manager at a potential big new client:
"How often do you run Application Security Testing, Penetration testing & Vulnerability Testing?"
I am looking at maybe using something like Trend Micro's Deep Security. This solution offers some level of protection & monitoring 24x7, so how often should I run the potentially more aggressive tests that they are asking about? Would it be unrealistic to say something like "depending upon your exact requirements we usually run them every 1-3 months"?
Thanks for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your helpful comments. My understanding is that a Vulnerability Test (VT) compares my instance with a database of known issues, whereas a Penetration Test (PT) "ignores" known issues and just tries to gain access any way that it can. The 24x7 monitoring just checks for realtime changes (logs, file integrity, etc) and doesn't do any proactive testing.
Sean, I think that you are saying to do a VT more often (around instance changes) and a PT less often. Is this because a PT is more time consuming and a drain on the instance's resources?
Thanks