TT: Which types of companies are buying penetration tests?
Amit: All sorts, all sizes and across all sectors. Certainly the awareness is growing in regards to ongoing web assurance programs. Organisations are starting to realise how valuable a test that determines potential exposure and security threats from the Internet are. Anyone under the PCI program should be doing them so there's a good chunk of retail and services companies. Telcos do them given the significance of their e-Offerings and banks obviously need to be vigilant to potential exposures. All companies with a Web presence should be heading down the path.
Brian: Every type of company out there, and it isn't just tech companies anymore. Any type of company with information they need to protect wants this type of service.
Adam: The most common for us at the moment are financial services companies, as they are affected by SOX and Australian standards for audits. Everyone is being stung by regulatory compliance issues, which have seen "security testing" become required rather than being preferred.