Feb 13, 2013

How often should you conduct penetration testing?

What is a good rule of thumb to follow for penetration testing for IT security? How often is sufficient vs. being a waste of resources?

Really depends on the size of your company and what business model you currently are performing. For most of our customers, we perform a PEN Test annually and a quarterly Vulnerability Scan. Depending on the scan, that may lead us to perform a PEN Test if you are an MSSP customer of ours. Rule of thumb, get a Penetration Test annually if you are receiving a quarterly Vul Scan.

Here's a page with some good penetration testing information:


"Most people that find their way to this page do so because either they have been told they need to get their information systems tested to prove they are secure, or their systems have already been hacked and they want to understand what happened.

In both cases you'll be pleased to hear that the information in this guide should help you to quickly understand the choices you have available to improve the situation.

What is penetration testing?
The term "penetration testing" is an industry buzzword, which used to mean something quite specific, but is now commonly used by customers to refer to just about any type of security testing. We won't be bucking the trend either; we know a dead horse when we see one.

The general process tends to be that your systems get tested, and then at the end you receive a report that highlighs all the insecure areas that need attention, along with advice on how to fix them."

Depends. Some certifications lay out specific requirements for pentesting. In general, I would mirror many certifications and say annually. If you make major changes to your network, I would think it would be wise to conduct penetration tests. One thing to keep in mind if you use AWS or other cloud service, you probably need to get approval first and make sure that you don't violate your TOS by conducting penetration testing out of the blue.  

Answer this