Penetration tests have long been known as a critical security tool that exposes security weaknesses through simulated attacks on an organization’s IT environments. These test results can help prioritize weaknesses, providing a road-map towards remediation.
However, the results are also capable of doing even more. They identify and quantify security risk, and can be used as a keystone in cybersecurity policies. The same can be said about broader Penetration Testing practices.
Organizations gain real value from learning about others’ penetration testing experiences, trends, and the role they play in today’s threat landscape.
The world of pen testing can be an interesting balance of open collaboration and closely guarded privacy. While pen testers may engage in teaming exercises, or happily talk technique when they attend Black Hat, most organizations are extremely reluctant when it comes to discussing their pen testing practices and results.
Of course, confidentiality and security should be kept top of mind sharing anything that puts data at risk defeats the point of pen testing to begin with.
Further, publicizing security weaknesses does not help maintain confidence in an organization’s ability to keep their customers’ information safe. However, there is still valuable data that can be shared without divulging sensitive information.
For example, information about average pen testing team sizes and testing frequency can help an organization determine if they need additional resources. Learning about the different types of tests being performed could help an organization determine its testing priorities.