Security Think Tank: Automated security testing is not for all

What is the best approach to automating information security?

Unless there is a distinct need for automated security testing, such as might be required for ongoing PCI-DSS compliance, automated testing does not enter the consciousness of most IT folk or company boards.

Unless a company has in-house expertise to develop scripts and massage data, the simplest and easiest automated testing routes is to use one of the web-based services that can test a company’s internet connected systems.

Typically, these services will test a company’s website, but other services, such as email or virtual private network (VPN) access, should not be forgotten because they are all gateways into a company’s network. 

One of the best-known providers of these automated test services is Qualys, but an internet search using the term “automated pen testing” will throw up a number of providers. Wikipedia also has a number of sections devoted to penetration testing, web testing and test automation.  

Some specialist test companies can also provide an on-site test box that will perform internal testing of any internet firewall. These devices will “phone home” with their test results and, as is common with any automated test service, the results can be displayed on a web page that is only available to the subscribing company. Emailed summaries are also commonly available and usually additional to a web-based report.

If a company has a competent IT team, running tools such as Nessus can be an alternative. Nessus can be scripted to perform tests across a range of services (IP addresses) and will provide reports. This can be viewed as a semi-automated test regime and is a good way to check for missing patches, but the report output of Nessus is somewhat stilted and machine-driven, and so requires some analysis to be of real use. 

Good for companies that have a geek or two in their IT department, but not necessarily suitable for all.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management

Read more on IT risk management