RE: Business justification for pentesting

From: William Tarkington (William.Tarkington_at_openwave.com)
Date: 08/30/05

  • Next message: dave kleiman: "RE: Where are Windows "Enforce password history" passwords stored?" 
    Date: Tue, 30 Aug 2005 12:22:50 -0700
To: <sectraq@gmail.com>, <pen-test@securityfocus.com>

    Gartner is the major provider of information regarding this type of
    stuff. If you aren't able to get access it's a crap shoot on the web.

    It is true that recovering from an incident costs more than preventing
    it.

    To get Pen-testing approved I generally use the fire sprinkler system
    analogy.

    We've invested this money in our security now we use pen testing to
    validate we have achieved what we invested our money for.

    Or just because you install a sprinkler system doesn't mean you don't
    test it once a year. Simply because the cost of not having it exceeds
    the cost of testing and the same is true for pen testing.

    --Will

    -----Original Message-----
    From: sectraq@gmail.com [mailto:sectraq@gmail.com]
    Sent: Tuesday, August 30, 2005 9:30 AM
    To: pen-test@securityfocus.com
    Subject: Business justification for pentesting

    hi all,

    a few classic question that i would appriciate any answers for.
    1- i would like to briefly know how to quantify information assets. In
    other words, i hear a pentester say: if a hacker breaks in ur network, u
    will loose up to 40000$ for example. how can he come up with such
    figures?

    2- are there any other means to justify pentesting for management except
    for $$$?

    3- are there any official statistics, figures etc. for justifying
    pentesting. ther more official it is the better.

    4- any other information you guys might find helpful in justifying a
    pentest would be appriciated.

    thnx in advance for ur help.

    T.N
     

  • Next message: dave kleiman: "RE: Where are Windows "Enforce password history" passwords stored?"