Interesting article talking about the death of penetration testing written by Bill Brenner – also referenced and discussed here at Jeremiah’s site.
We’re (Securus Global) getting to the stage of a more generic description of just plain old “security testing”. I can’t see it being “dead” anywhere in the short term future. What’s the real workable alternative for testing of “production” software against known and in many cases unknown types of attacks and vulns? (Still surprises me in regards to the latter how many “specialists” believe 0days only exist when reported publicly. 
) Code-level reviews while good are too expensive for most companies and do hinder delivery dates (regardless of the value they provide) – business realities.
Is it dead when it’s barely started across the business world? Where’s the starting point for the “new” (already lacking/wanting) approaches?
“Penetration tests and vulnerability scans help us find where our processes, procedures, and standards might need work,”
They save the best till last. And this is the gem. Pen testing, the way it is done now, should be dead. Well – at least the exception to the rule. The idea of performing potentially destructive testing (which is the only way to actually find the problems, even if that is not the way most “Authorized” testing is performed) on live systems that have been in production for years is the lesser of two evils. Sure, you will find your problems, and you will demonstrate risk but the problems simply should not be there to begin with, and if the system has been live for any length of time then someone else would have found them already, whether the company knows or not.
Penetration Testing should be just another part of QA for any new system being developed. Just like UAT and just like DR testing. Nothing fancy, just another tick in the project managers sheet to say that they have been looking after the business.
I have a theory on this “Whatever tech is dead” crap. There is always heaps of media hype (or is that just vendor hype these days ?) about whatever is the new, trendy thing in IT. Keywords that will sell anything and get clicks, whatever.
A good example is IDS (something close to my heart). IDS was great, and awful at the same time. As an idea it was wonderful, but the implementation of the products fell far short of exceptions.
As soon as the vendors finally got on top of it (and it took some years) and the products were mature and genuinely useful Gartner came out and declared IDS dead.
I was a little perplexed at this as I could clearly see that at the time there had never been a better time to get IDS setup – it was finally a good mature technology without the snake oil.
Its all about perspective. IDS was dead for the media, it was dead because there were no longer going to be 100 new startups pumping out empty sensationalist press releases. And for this reason too it was no longer up there for the VC guys to be financing its development. For many people, it was dead. In fact it was dead for everyone expect the people who it was targeted – business. For business it was better than ever. It was mature, and IDS was now a part of the ordinary operational budget.
And the same with Penetration Testing. Its not crazy voodoo anymore. Its not this amazing thing that is black magic and has to be back ported into all existing projects. Its business as usual.
Reading this article really put a smile on my face – now that Penetration Testing is business as usual and no longer black magic the media can get onto the next ‘big thing’. Even if, now, we are just not as cool.