An integrated approach to security

March 2009 News

At the end of last year I openly declared my belief that 2009 will see the death of penetration testing. That does not mean penetration testers are going to disappear, however, we will see the practice undergo a transformation and be reborn as part of a tightly integrated approach to security.

I believe it to be universally true that if you are not paying attention to security, then you have security problems and for this very reason penetration testing has been able to firmly establish its position in software security. Historically, many organisations have written code that they recognise will be insecure and, once complete, their first action is to deploy penetration testing to prove this premise, paying for the privilege.

Am I the only one to see the futility of this exercise? Not anymore.

Penetration testing will get wrapped into a much larger and far more comprehensive approach to improving security. The best initiatives balance the yin and the yang of attack and defence.

2008 saw us pass an inflection point

People are now spending more money on getting code right in the first place than they are on proving it is wrong. However, this does not signal the end of the road for penetration testing, nor should it, but it does change things. Rather than being a standalone product, it is going to be more like a product feature. Penetration testing is going to cease being an end unto itself and re-emerge as part of a more comprehensive security solution.

This kind of thing happens all the time in high-tech. The first PC spell-checkers were standalone programs, but the market for standalone spell-checkers died when they became a standard part of any word processor. These days spell-checkers are everywhere, but there is no market for a standalone spell-checker. Proof positive: there are not even any Web 2.0 or iPhone spell-checker start-ups.

So why now?

Alright, so why 2009? The time is right because back in 2007, IBM bought a company named WatchFire and HP bought a company named SPI Dynamics. The acquired companies both made Web application penetration testing products. IBM and HP spent serious money for these companies, not crazy dotcom prices, but even at HP and IBM you have to tell a good story before you get to spend upwards of 70 million dollars. The good story was that the acquired technology would work together with other products and services to fuel a broad entrée into a rapidly growing software security market.

It takes a little while to digest any acquisition, but by now it has been long enough. 2009 will be the year this strategy comes together, and when we look back, it will be the year when most of the world began thinking about penetration testing as part of a larger offering.

There will always be boutique security consulting companies with funny names and exotic services, but the industry will grow by integrating security yin and yang. If you would like a sneak preview of what the future holds, check out the work White Hat Security has done to integrate its vulnerability measurement service with Web application firewalls. This is attack and defence working together in a creative new way.

Evolve or die

More than ever before, people understand the software security challenge, and penetration testing deserves credit for helping spread the word. But knowing a security problem exists is not the same as knowing how to fix it. In other words, penetration testing is good for finding the problem but does not help in finding the solution – and that is why it must take a long hard look at itself and then make a change. Just like the venerable spell-checker, it is going to die and come back in a less distinct but more pervasive form and I, for one, cannot wait.

For more information contact Brian Chess, Fortify Software, www.fortify.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Black Point Tech continues the tradition
Issue 2 2021, Black Point Tech cc t/a BPT , News
Black Point Tech, trading as BPT, is a new company that inherits the history of others that, in the past, have distributed solutions in the fields of intercom systems, parking management as well as general access control solutions.

Read more...
Suprema ranks first in survey
Issue 2 2021, Suprema, neaMetrics , News, Access Control & Identity Management
In a recent survey conducted in Korea, Suprema was chosen as the top brand for access control management software and mobile access solutions.

Read more...
Suprema integrated with Nedap
Issue 2 2021, Suprema , Access Control & Identity Management, News
Suprema recently announced that it has integrated its latest facial recognition devices into Nedap's access control system, AEOS, to enable organisations to manage their access control by making use of Suprema’s latest facial recognition technology.

Read more...
Commercialising vehicle security monitoring services
Issue 2 2021 , News
To protect connected vehicles around the world against cyberattacks, Panasonic and McAfee will build vehicle SOCs that enable accurate detection and early response to attacks and help strengthen cybersecurity measures in the automotive industry.

Read more...
Fidelity ADT expands security footprint
Issue 2 2021, Fidelity ADT , News
Fidelity ADT has concluded an agreement with National Security & Fire in the Vaal and KZN South Coast areas whereby it will be taking over the monitoring and armed response service contracts in these areas as of 1 April.

Read more...
AURA expands into East Africa
Issue 2 2021 , News
South African business, AURA, is expanding its operations into East Africa with new Kenyan office and general manager.

Read more...
From the editor's desk: Maybe security should STTFS
Issue 2 2021, Technews Publishing , News
The IT industry has an acronym, RTFM, Read the Manual; you’ll notice I left the F out. The same can be said for the security industry, but a recent experience has shown me that both industries, even as ...

Read more...
ONVIF reaches milestone of 20 000 conformant products
Issue 2 2021 , News
ONVIF has announced that more than 20 000 security products are now conformant to its various profiles, indicating the strong market demand for interoperability of hardware and software offerings and the relevance of ONVIF as a driver of open standards within physical security.

Read more...
Suprema’s fingerprint recognition algorithm supplied to Samsung Galaxy S21 series
Issue 2 2021, Suprema , News
Suprema announced that it supplied BioSign 4.0, its under-display fingerprint recognition algorithm to the Samsung Galaxy S21 smartphones with support from Qualcomm Technologies.

Read more...
ISO 27001 awarded to Secutel Technologies
Issue 2 2021, Secutel Technologies , News
Secutel Technologies, a developer of physical security technology and provider of cloud-based solutions, announced that it has achieved the International Organization for Standardization (ISO) 27001 certification.

Read more...