Sponsor: 3W Security

Let’s say you find a SQL database directly accessible from the internet. It’s the same story all over. There’s really no reason you should have this sort of system directly on the internet. There are much more secure ways to make this system available.

So why do we want to waste time as a tester to try and hack something we already know is insecure and why does the security manager need to pay more for this effort? The only real value is that you use this information to prove to other managers that this access needs to be shut down. So my argument here is that, once you find something that point blank doesn’t belong on the internet, your efforts as a company should be to put resources towards fixing the problem rather than proving that it’s a problem in the first place. It’s a waste of effort at this point.

IT Leadership is beginning to realize that one Pentest a year is not enough. What happens if an engineer makes a configuration mistake exposing your systems environment one week after your Pentest has been completed? You are basically exposed for a whole year if your vulnerability scans do not detect the issue.

Pentesting as a service is currently offered by a number of companies in this automated fashion. It’s only a matter of time before industry leaders start taking advantage of these technologies. Unfortunately, many organizations only implement the tools required for compliance, but those organizations who are serious about data security will gravitate towards these sorts of technologies that make your security program more effective.

Let’s say you find a SQL database directly accessible from the internet. It’s the same story all over. There’s really no reason you should have this sort of system directly on the internet. There are much more secure ways to make this system available.

So why do we want to waste time as a tester to try and hack something we already know is insecure and why does the security manager need to pay more for this effort? The only real value is that you use this information to prove to other managers that this access needs to be shut down. So my argument here is that, once you find something that point blank doesn’t belong on the internet, your efforts as a company should be to put resources towards fixing the problem rather than proving that it’s a problem in the first place. It’s a waste of effort at this point.

IT Leadership is beginning to realize that one Pentest a year is not enough. What happens if an engineer makes a configuration mistake exposing your systems environment one week after your Pentest has been completed? You are basically exposed for a whole year if your vulnerability scans do not detect the issue.

Pentesting as a service is currently offered by a number of companies in this automated fashion. It’s only a matter of time before industry leaders start taking advantage of these technologies. Unfortunately, many organizations only implement the tools required for compliance, but those organizations who are serious about data security will gravitate towards these sorts of technologies that make your security program more effective.