[Dailydave] So when will the end of pen-tests begin?

[Kurt Grutzmacher]

On 11/23/06, Saad Kadhi <saad at docisland.org> wrote:
> I don't think pen-tests will "end". Think about the actual trend of
> distributed components, SOA etc. They may need recalibration (for ex.
> by acquiring more knowledge beforehand on the inner guts of software
> instead of a Black Box approach) and skills' honing but they still
> and will remain an essential part of software security.

Penetration testing has already started to become less and less of
"What can you find" and more of "please do this so we can sign off on
<insert certification here>". They're pre-production check-offs for
PCI, SOX, etc. Some customers still find great value in using trusted
partners for validation of methodology, installation, etc but when it
comes to the dollar value of PTs it's turning into a part of
compliance vs. nebulous black arts necromancy.

In my opinion, of course. :) I'd prefer to pay my respect to the elder
gods for an SQL injection that nets me the SSN database, but as a
client that's only part of the reason they came to me.