184 Security De-engineering
never be relied on as the single source of information on the status of
network security.
Penetration testing costs are certainly less than they were in the
late 1990s/early 2000s, but they are also nonnegligible. Usually a test
that is supposedly “manual” will be billed out to cover a maximum
of two calendar weeks and up to 40 man-days of testing (10 calendar
days with four security analysts). If an organization is using a third-
party penetration testing team to substitute internal security exper-
tise, is 40 man-days enough time to give even a semi-accurate picture
of the network security posture? Given the complexity of systems and
applications, certainly this is not enough time, even with a highly
skilled test ...