So this entry goes to support my previous post about Insecure Security Technologies and some of the confusion that these vendors can cause. Recently Networkworld published an article named “Penetration Testing: Dead in 2009” and cited Brian Chess, the CTO of Fortify Software as the expert source. 

The first thing that I want to point out is that Brian Chess is creating confusion amongst the non-expert people who read the article linked above.  The laymen might actually think that Penetration Testing is going to be dead in 2009 and as a result might decide to buy technology as a replacement for the service.  Well, before you make that mistake read this entire entry. I’ll give you facts (not dreamy opinions) about why Penetration Testing is required and why its here to stay.
As a side note, Brian Chess has a vested interest in perpetrating this fantasy because his objective is first and foremost to sell you his technology.  
Technology, like Brian Chess’s technology is a solution to a problem, which by definition means that the problem came first and the technology was always a few steps behind.  With respect to IT Security, hackers are always creating new methods for penetrating into networks (the problem). Because those methods of attack are new, the technology is not able to defeat them (because the solution doesn’t yet exist). So if technology can’t protect you, then how do you protect yourself?

The best way to protect yourself is to use a combination of technology (to solve known problems) and Penetration Testing (to identify the unknown). A properly executed penetration test will reproduce the same or greater threat levels that your infrastructure will likely face in the real world.  This is akin to testing the armor of the M1A2 tank.  You shoot the armor with RPG’s and armor piercing rounds so that you can study the impact and improve the armor to the point where it defeats the threat.  As a result Penetration Testing can move your security posture well past the limits of what technological solutions have to offer.  My professional recommendation is that both Technology and Penetration Testing should be used.  Sorry Mr Chess, but telling people that Penetration Testing will be dead by 2009 is just fiction. 

Moving on…

As a general rule of thumb I try to avoid saying that anything is 100% secure or invulnerable to attack because that sort of claim is impossible.  But while reviewing the Fortify website I found the following text and thought it was worthy of note: “Fortify 360 renders software invulnerable to attacks from cyber predators.” This sort of marketing fluff falls under the same class of confusing noise as Brian Chess’s claim that Penetration Testing will be dead by 2009, total fiction.  It is mathematically  impossible for Fortify 360 to render software “invulnerable to attacks from cyber predators.” unless the software is mathematically proven to be secure, and it hasn’t.  

If anyone disagrees with what I’ve said here by all means leave me a comment. If you can prove me wrong then I’ll happily make corrections, but I’m pretty sure I’m on the ball with this one.   And Mr. Chess, if you think that your technology renders your customers “invulnerable to attacks from cyber predators” then I challenge you to let my research team test an evaluation copy of your technology, after all the skills that we posses according to you are outdated and shouldn’t pose a threat to your software.  ;]