First, a quick poll: how many types of security testing do you know? Let me try…
- Penetration testing (PT)
- Red teaming (RT) – differences of PT and RT are discussed here
- Vulnerability assessment
- Application security testing (AST)
- Security rating services (like BitSight and SecurityScorecard)
- Attack, threat, breach simulation tools (details)
- Others, possibly many others….
Now, at the risk of sounding too philosophical, what does it even mean “to test one’s security”? At this early stage of our effort, all bets are off, but we do want to look into testing of security technologies and processes (such as detection and response processes), with the focus on outcomes, not controls. In essence, we want to look into testing the effectiveness, not the presence, of security controls.
Please share how you think of TESTING SECURITY … and please don’t say that “a good pentest should be enough security testing for everybody.”
Note that we will try to keep the focus of this on actually TESTING, not other forms of evaluating, measuring, assessing or guessing about security … Asking people how secure they think they are isn’t testing. Questionnaires isn’t testing. Reviewing policies isn’t testing. Even reviewing the lists of controls they think they deployed isn’t testing (IMHO).
In fact, overall, paper security isn’t.
Blog posts related to Testing Security project:
Read Complimentary Relevant Research
Three Critical Factors in Building a Comprehensive Security Awareness Program
Three key elements form the foundation of a successful awareness education program: knowledge of audiences, pervasive and continuous...
View Relevant Webinars
IoT for Midsize Enterprises
IoT innovation can deliver growth and product improvement - two of the top business priorities cited by CEOs of midsize enterprises in...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.