Solved

How often should Penetration Testing, Vulnerability Testing and Application Security Testing be done?

Posted on 2014-09-05
5
642 Views
Last Modified: 2014-09-15
Hi

My company has a new web based application that we wish to sell to other businesses. I have been asked the following questions by the Information Security Manager at a potential big new client:
"How often do you run Application Security Testing, Penetration testing & Vulnerability Testing?"

I am looking at maybe using something like Trend Micro's Deep Security. This solution offers some level of protection & monitoring 24x7, so how often should I run the potentially more aggressive tests that they are asking about? Would it be unrealistic to say something like "depending upon your exact requirements we usually run them every 1-3 months"?

Thanks for your help!
0
Comment
Question by:everycloud
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 21

Accepted Solution

by:
Randy Poole earned 125 total points
ID: 40306295
You should really run it after you make updates to any of the following:
update to the SAAS itself
modification of the web server
modification of the database server
modification to the firewall/intrusion detection system
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40306329
Having a 24/7 monitoring solution is not a penetration test.

How often you conduct one is up to you and any regulations you are beholden to.  Typically I've seen penetration tests done annually. The application security test should be part of the penetration test, and a vulnerability test would be covered by the penetration test.  What I'm saying is, if you state (and actually do it) that you have external and internal penetration tests, covering applications as well, annually, you would be able to answer that question succinctly as "Annually", and easily meet what they're asking for.

1-3 months is VERY aggressive for a penetration test schedule.  Excessive, unless you've got national security data you need to protect.  IMHO.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40306332
In reference to Randy's comment, I would not conduct a penetration test after those changes were made, but I would use a vulnerability scanner before you make the change (baseline), and then again after the change to see if any new vulnerabilities have presented themselves as a result of the change.
0
 

Author Comment

by:everycloud
ID: 40309609
Hi

Thank you for your helpful comments. My understanding is that a Vulnerability Test (VT) compares my instance with a database of known issues, whereas a Penetration Test (PT) "ignores" known issues and just tries to gain access any way that it can. The 24x7 monitoring just checks for realtime changes (logs, file integrity, etc) and doesn't do any proactive testing.

Sean, I think that you are saying to do a VT more often (around instance changes) and a PT less often. Is this because a PT is more time consuming and a drain on the instance's resources?

Thanks
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 375 total points
ID: 40309990
A different way of saying it would be a Vulnerability test is more like a scan.  A penetration test is a situation where a human is actually doing something proactively to assess the security of the network/application.

Yes, you've got it. A scan is (can be) automated, so it's easy to do.  A penetration test is more expensive, and requires scheduling, paperwork, communicating with multiple parties, etc.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question