So the latest article by Brian Chess didnt stir up quite the controversy that that his pentesting dead in 2009 interview/article but this one is worth a read:
Its a short article and not near as controversial as the dead in 2009 one but three quotes...
"People are now spending more money on getting code right in the first place than they are on proving it is wrong. However, this does not signal the end of the road for penetration testing, nor should it, but it does change things. Rather than being a standalone product, it is going to be more like a product feature. Penetration testing is going to cease being an end unto itself and re-emerge as part of a more comprehensive security solution."
"2009 will be the year this strategy comes together, and when we look back, it will be the year when most of the world began thinking about penetration testing as part of a larger offering."
All that is good news (I think), secure coding is where things need to go but I personally dont feel any amount of secure code will ever completely replace pentesting as long as its possible to mis-configure it or set it up insecurely. So Microsoft Windows at some point may be free of stack overflows (or any memory corruption exploits) but that wont stop some system admin setting up their domain in some insecure fashion. That will still need to be pentested to discover and help remediate. Which leads me to the last quote...
"More than ever before, people understand the software security challenge, and penetration testing deserves credit for helping spread the word. But knowing a security problem exists is not the same as knowing how to fix it. In other words, penetration testing is good for finding the problem but does not help in finding the solution – and that is why it must take a long hard look at itself and then make a change. Just like the venerable spell-checker, it is going to die and come back in a less distinct but more pervasive form and I, for one, cannot wait."
I dont agree with this. Penetration testing/testers should never leave you without a fix to security issues. I know alot of pentesters and I dont know any that dont give the customer recommendations for remediations and a customer shouldn't accept a pentest that doesnt have recommended fixes. I suspect that what Chess meant here were "problems" like SQL injection vulns or code bugs that a source code scanning tool could help find and recommend the secure way to code it where a pentester may say "recode it", "have your developers find and fix the code" or "you may have improper parameter checking in this public function", etc.
I do agree that pentesting should evolve, but I think it should begin to look more at assessing an organization from many angles and taking the path of least resistance than pentesting the network side one quarter, the web app side the next, physical security the next, etc. When we begin to identify what makes us money, then look at how we are protecting it across the enterprise, then testing all those defenses at the same time, then we are evolving in the right direction. The evolution should be Full Scope pentesting and not the way most shops do it now.
Anyone else have thoughts on the article?