Penetration teSting—olD anD new 189
the audit” phenomenon that I described in Chapter 4. e other was a
fall-o in testing quality on the service provider side and also a lack of
appreciation/understanding of testing quality on behalf of the testing
subjects. If the penetration test was seen as not delivering anything of
value other than regulatory compliance, then it made sense to com-
pletely avoid situations where IDS false alarms could be triggered or
service availability could be impacted.
With the subject of return on investment from penetration testing,
there are two aspects to consider with regard skills: there are the skill
levels of the testing team, and there are also the skill levels of the test-
ing subject.
I mentioned in this ...