Tip #5: Develop a close relationship with the penetration testing team.Penetration testers are given special access to your systems and infrastructure, so they will necessarily obtain unique insight and understanding of your unique weaknesses. Developing a trusted relationship with test team personnel, especially external consultants, is an excellent way to minimize the risk of improper handling of this sensitive information and knowledge.
Tip #4: Stay involved in the details of any penetration testing process.Black box ignorance of the details of penetration tests is a symptom of either negligence or insufficient technical backgrounds amongst the supervisory teams. Take the time to understand the tools, techniques, processes and findings of the penetration testing engagement, and you will find that your insights and ability to turn results into meaningful action will increase dramatically.
Tip #3: Develop clear boundary conditions for penetration testers.The nature of penetration testing involves creative exploration in search of unexpected functionality or conditions in a target system. Unless testers understand clear boundaries (such as never to perform a denial of service attack on any production system), then the possibility arises that the testers might go too far. It is the responsibility of security managers to ensure that this does not happen.
Tip #2: Use penetration testing to show the presence of flaws.A powerful technique to get the attention of business units or managers who refuse to acknowledge the importance of good security is to expose a vulnerability that ties directly back to their own systems or applications. When presented with clear evidence of vulnerability, many teams get security religion quickly, and the result can be smoother engagement on activity for which their cooperation is needed.
Tip #1: Never use penetration testing to demonstrate the absence of flaws.Perhaps the worst mistake that managers of penetration test activity can make involves mistaking penetration test mitigation of a set of discovered flaws with the removal of all flaws. Penetration testing – like all testing – is great is showing the presence of errors, but is a terrible means for proving their absence. Never confuse fixes to some penetration test-obtained flaws with security. This is a rookie mistake to avoid at all costs.