Twelve Reasons Pen Testing Won't Die
Core Security Technologies CTO Ivan Arce lists 12 reasons Fortify Co-Founder and Chief Scientist Brian Chess is wrong about 2009 marking the end of pen testing
By Ivan Arce
December 12, 2008 — CSO —
Each year, during the sprint to the finish line of the fourth quarter, just before we have our last chance to revisit our carefully thought out and meticulously prepared and negotiated plans for the next year, the distinguished group of modern Nostradamuses in our industry unveil their penultimate prophecies for the year to come.
Don't get me wrong. The art of security industry futurology is not for the faint of heart and I deeply respect the artists. To predict not only what will happen but also when and how long it will last, a hefty amount of courage and intrepidness is required. Perhaps that is why the pros in the business equip themselves with a series of mathematical modeling gimmicks and an arsenal of surveys and statistics to corroborate their chosen hypothesis.
If you are interested in becoming one of them but feel that you are not brave enough, fear not! There is still hope for less daring individuals -- such as myself -- willing to become apprentices at the School of Information Systems Security Prophets (SISSP).
To get to the entry level, the Security Prophet's Minor League, so to speak, one only needs to predict something that will not occur in the next year and get it published in a respectable medium.
Yes! This sounds easy, doesn't it? I've entertained the idea that I could do it and in the past weeks I've prepared some very suitable predictions along these lines: "In 2009 Web applications will not get rid of the security bugs that plague them" or "In 2009 applying security patches will not become obsolete" or, the even more audacious: "In 2009 firewalls will not be deprecated."
At first this seemed easy but then I realized that those predictions would not suffice to pass my SISSP examination and even if they did getting them published somewhere respectable would remain an open issue.
Fortunately, I found an opportunity I could not pass on -- this week's CSO Online article covering a 2009 prediction from Brian Chess, CTO of Fortify, a colleague for whom I have much professional respect: Penetration Testing: Dead in 2009.
As you probably already guessed, in this article I intend to counter-predict Brian (don't get upset Brian, I know you've been extremely gracious quoting me in your book and sending me a complimentary copy and this is how me, the Most Ungrateful, pays you back. If I was even remotely decent I would be ashamed of myself and not do this, but what can I say: The temptation was too great and I am a weak).