from CSO Online


    Does pen testing belong in the QA department? Fortify Co-Founder and Chief Scientist Brian Chess says 2009 will mark the end of pen tests as we know them. His theory is being met with resistance.

    Naturally, security practitioners who swear by pen testing as a critical component of a layered security program are reacting to his hypothesis with more than a little skepticism.

    Jennifer Jabbusch, CISO at Carolina Advanced Digital Inc. in the Raleigh-Durham area of North Carolina, took issue with Chess’ basic premise that penetration testing will become a component of monitoring and measuring.

    “Pen testing will continue,” she said in an exchange over the Twitter social networking site. “Monitoring and measuring is not pen testing. It’s what you do after pen testing.”

    She also faulted the example of desktop publishing being a dead art, saying, “Desktop publishing isn’t dead. In fact, it’s grown. Now you can design on your desktop and deliver via the Internet for printing at FedEx/Kinkos.”

    Read article