Penetration Testing Effectiveness
Discussions center on the value, limitations, quality, and alternatives like bug bounties to penetration testing (pentesting) for cybersecurity assessments, often questioning why companies skip it or its effectiveness in finding critical vulnerabilities.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Pen testing not a viable alternative?
I wonder if they do any form of penetration testing?
Why not bother with pentesting?
"Was just pentesting it" ... hopefully with their permission. Be careful.
Just going to say here that people routinely engage pentest firms, several times annually, for roughly that sum of money, hoping but not expecting game-over vulnerabilities (and, from bitter experience as a buyer rather than a seller of those services over the last 5 years --- "no game-over vulnerabilities" is a very common outcome!)
You're better off doing a private bug bounty through bug crowd or hackerone.Pentests are point in time assessments. Usually with one to two testers, with limited scopes of expertise.Bug bounties can bring in hundreds of testers with a wide breadth of expertise that continuously test.
They're just a tool. You can use them wisely or you can use them poorly. They can be an incredibly useful additional set of eyes if you've already done the basics, or you could get flooded with piles of issues that anyone could have found.I used to work in sec consulting a decade ago and it was a shitshow, clients wouldn't have credentials ready when you were meant to start testing (but they'd still get billed), we were told to scope pentests to IPs with no listening servi
This exists: https://en.wikipedia.org/wiki/Penetration_test
Periodic pentesting by a reputable firm
Do they pen test it?https://news.ycombinator.com/item?id=39378235