threat mitigation

To Pentest or not to Pentest: is this really the question?

I wrote before about Pentesting in the article “What is Pentesting, Vulnerability Scanning, which one do you need?” . If you’re a company having web services of any kind or a kind of backend, you are asking yourself if you should only do pentesting or make things right and do the entire risk assessment and threat modeling exercise. Pentesting is like an insurance showing to the external world that your product will not be hacked easily once it is live. The common understanding these days, is that pentesting identifies such errors and helps the company to fix them. It might find really big issues, which denote normally a severe lack of knowledge (aka incompetence) regarding programming  of web services. Most of the time it isn’t the case.  But what is sure is that most of the time though, it produces so many false positives that it masks any medium or small issue that might become a problem in the future. Again, I am not saying that you should not do pentesting. I am saying that it should be done at a later point in time, with another priority.   I can think from different points of view: from the perspective of the…


%d bloggers like this:

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close