By Keith Ferrell
Special To Dark Reading
Apr 16, 2010
Conducting penetration testing in-house rather than using an outside
consultant is worth considering for reasons of both cost and security
expertise -- but it's also a step not to be taken lightly.
"The advantage of having in-house penetration testers is the focus they
provide," says Chris Nickerson, founder of security firm Lares
Consulting. "They're able to keep track of the latest exploits and
vulnerabilities, constantly monitor systems, and practice and sharpen
their skills. But in order to achieve those benefits, they have to be
Nickerson points out that while some really large enterprises are
fielding teams wholly dedicated to testing, for most companies pen tests
are only part of the testers' responsibilities. "It's all too common to
find penetration tests delayed or put off because the tester has too
many other open tickets to deal with," he says.
While even a part-time pen-test specialist on staff can be a step in the
right direction, it can also be risky. "The variety of tools available
for pen tests today is remarkable, and I pretty much applaud them all,"
he says. "Metasploit, Canvas, Core, Nessus, and others have spent a lot
of time ensuring that installing their agents don't blow the boxes that
are being tested. That's the default: Once the agent is installed and
it's determined whether or not the exploit works, the agent is