Title: “Security Testing: The Future of Internal Assessment and Assurance"
Presenter: Alex Horan
Date: September 23rd, 2009
Location: Hilton Miami Downtown
Abstract:
In nearly every aspect of IT, it is considered a fundamental requirement to test any system before it is deployed and to verify its continued operation after it is implemented. For example, all web application functions must be tested to ensure their functionality before and after deployment, with this work typically completed using both automated and manual assessment techniques.
Unfortunately, the field of IT security has not traditionally fostered the same level of commitment to testing, nor the necessary tools and standard techniques required for assessing its overall efficacy, primarily based on the notion that security’s purpose has been viewed as preventative and responsive, rather than directly functional.
However, based on the spiraling complexity of IT security technologies and processes themselves, and the proliferation of even more sophisticated threats meant to circumvent these controls, there has arguably never been a greater need for organizations to actively assess their systems defenses.
Today this process typically involves hiring third-party penetration testing service providers who employ ethical hackers, and the internal use of vulnerability scanning technologies at various levels throughout the IT security stack. Yet, based on the success of many of today’s attacks, clearly this approach has proven insufficient.
As a result of all these factors, commercial penetration testing products are now emerging that for the first time allow organizations to make security testing a standard, repeatable process; but most still require significant time and expertise to maximize their capabilities. In the future, these products must mature rapidly and become truly automated, safe, enterprise-class solutions. They must also provide users with all the information required to measure overall security effectiveness, remediate any vulnerabilities discovered, and generate related regulatory compliance reports.
In this talk we explore how manual penetration testing has evolved over time from the specialized domain of an expert few into a standard practice accessible by most organizations, and explore the role of vulnerability and application scanning therein. From there, we will predict where security testing will go over the next five years as even more solutions emerge that allow large organizations to take greater control of their own security testing processes – and consequently gain the information they need to stay ahead of emerging threats.
