classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2018


An integrated approach to security
March 2009, News

At the end of last year I openly declared my belief that 2009 will see the death of penetration testing. That does not mean penetration testers are going to disappear, however, we will see the practice undergo a transformation and be reborn as part of a tightly integrated approach to security.

I believe it to be universally true that if you are not paying attention to security, then you have security problems and for this very reason penetration testing has been able to firmly establish its position in software security. Historically, many organisations have written code that they recognise will be insecure and, once complete, their first action is to deploy penetration testing to prove this premise, paying for the privilege.

Am I the only one to see the futility of this exercise? Not anymore.

Penetration testing will get wrapped into a much larger and far more comprehensive approach to improving security. The best initiatives balance the yin and the yang of attack and defence.

2008 saw us pass an inflection point

People are now spending more money on getting code right in the first place than they are on proving it is wrong. However, this does not signal the end of the road for penetration testing, nor should it, but it does change things. Rather than being a standalone product, it is going to be more like a product feature. Penetration testing is going to cease being an end unto itself and re-emerge as part of a more comprehensive security solution.

This kind of thing happens all the time in high-tech. The first PC spell-checkers were standalone programs, but the market for standalone spell-checkers died when they became a standard part of any word processor. These days spell-checkers are everywhere, but there is no market for a standalone spell-checker. Proof positive: there are not even any Web 2.0 or iPhone spell-checker start-ups.

So why now?

Alright, so why 2009? The time is right because back in 2007, IBM bought a company named WatchFire and HP bought a company named SPI Dynamics. The acquired companies both made Web application penetration testing products. IBM and HP spent serious money for these companies, not crazy dotcom prices, but even at HP and IBM you have to tell a good story before you get to spend upwards of 70 million dollars. The good story was that the acquired technology would work together with other products and services to fuel a broad entrée into a rapidly growing software security market.

It takes a little while to digest any acquisition, but by now it has been long enough. 2009 will be the year this strategy comes together, and when we look back, it will be the year when most of the world began thinking about penetration testing as part of a larger offering.

There will always be boutique security consulting companies with funny names and exotic services, but the industry will grow by integrating security yin and yang. If you would like a sneak preview of what the future holds, check out the work White Hat Security has done to integrate its vulnerability measurement service with Web application firewalls. This is attack and defence working together in a creative new way.

Evolve or die

More than ever before, people understand the software security challenge, and penetration testing deserves credit for helping spread the word. But knowing a security problem exists is not the same as knowing how to fix it. In other words, penetration testing is good for finding the problem but does not help in finding the solution – and that is why it must take a long hard look at itself and then make a change. Just like the venerable spell-checker, it is going to die and come back in a less distinct but more pervasive form and I, for one, cannot wait.

For more information contact Brian Chess, Fortify Software, www.fortify.com


  Share via Twitter   Share via LinkedIn      

Further reading:

  • From the editor’s desk: Integrate or fail
    October 2018, Technews Publishing, News
    The news earlier this month was that Bloomberg Businessweek published a story about Chinese cyber spies (well, with our media it has to be them or the Russians). Apparently, these devious spies had corrupted ...
  • Digital banking crime statistics
    October 2018, This Week's Editor's Pick, News
    The South African Banking Risk Information Centre (SABRIC) has released its inaugural digital banking crime statistics.
  • News in brief
    October 2018, News
    A round-up of some of the news happenings of the past month.
  • CyberGym launches South African arena
    October 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, News, Training & Education
    Wolfpack recently introduced a new cybersecurity training service to South Africa. CyberGym is an Israeli company that specialises in real-life cyber training, teaching students with real world simulations.
  • ESDA golfs for the poor
    October 2018, ESDA (Electronic Security Distributors Association, News, Conferences & Events, Associations, Training & Education
    The ESDA charity golf day was held at the Benoni Country Club on 20 September 2018 in aid of AMCARE.
  • Cam Era launches security franchise
    October 2018, Technews Publishing, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, News
    New security franchise available in South Africa based on visual verification technology. Franchisor says no technical skills required.
  • West Africa gets secure
    October 2018, Training & Education, News, Conferences & Events
    Securex West Africa is the exhibition and conference shaping the Nigerian security, fire and safety industry.
  • Stallion’s acquisition of MASC promises growth
    October 2018, Technews Publishing, News, Integrated Solutions
    In March this year, Stallion Security acquired MASC Solutions as a continuation of its efforts to expand beyond its established strengths and take advantage of new market opportunities.
  • Open Security & Safety Alliance launched
    October 2018, News, Associations
    Bosch Building Technologies, Hanwha Techwin, Milestone Systems, Pelco by Schneider Electric and VIVOTEK are founding members supporting the launch of The Open Security & Safety Alliance.
  • GreyEnergy group targeting critical infrastructure
    October 2018, Cyber Security, News
    ESET researchers reveal a successor to the feared BlackEnergy APT group - in the footsteps of a feared threat actor, with a new arsenal of tools.
  • J2 offers enterprise-grade security for SMEs
    October 2018, J2 Software, Cyber Security, News
    Rising levels of cybercrime, and its increasing sophistication, threaten businesses of all sizes but SMEs are particularly vulnerable.
  • New Panasonic appointment
    October 2018, Panasonic South Africa, News
    Natalie Winkworth has been appointed as sales and marketing admin manager at Panasonic SA.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.