Pentests
Penetration tests should ideally be conducted by external, independent firms with no prior exposure to the systems being tested. This ensures an unbiased assessment and simulates a more realistic attack scenario. Rotating the companies or individual testers over time brings fresh perspectives, diverse skill sets, and new methodologies, increasing the likelihood of uncovering different types of vulnerabilities and attack vectors.
Conducting penetration tests on a regular basis is also a proactive approach to identifying and remediating security weaknesses before they can be exploited by malicious actors. It also demonstrates a commitment to continuous improvement in the organization's security posture.
Outcome
- A pentest scope is defined and agreed upon
- Pentests are performed on a periodic basis by external entities
- The identified vulnerabilities are being pushed to the vulnerability management program
Metrics
- Number of pentests performed
- Number of vulnerabilities identified
- Number of vulnerabilities fixed
Tools & Resources
- HackTricks - Probably the most complex open source documentation for pentesting techniques (Free)