So you have worked out what a pen test is, decided that you need one and seen there is a list of preferred pen testing companies that have been due diligence checked, rated and customer reviewed but you are wondering how often you should pen test. The question in part will depend on what kind of pen test you do, but there are some broad guidance we would suggest.
A penetration test should be conducted on a regular basis, and at least once a year and after any significant change. It is advisable to move to a system of continual monitoring to supplement the more in-depth penetration testing, as point-in-time penetration tests will not protect against zero-day vulnerabilities and the changes to threats that can occur between tests.
That sounds a bit dry, right? Penetration testing can be a costly exercise and that is why we see the trend to conduct it annually. People asking you to do a pen test will usually ask you for a copy of a pen test report from the last 12 months. They acknowledge the cost in terms of time and money. They will assume that you have dealt with the pen test results effectively. The real answer is the more testing you can do the better. The guidance is after every major change. Again, depending on the type of test, a rigorous programme of co-ordinated testing across the year and different types will reap the most rewards.
What we do know is that a pen test is a test at a point in time. It says that on that day, the results that were found were the results that were found. Much like life, people cannot predict the future, and in the fast changing world of technology where system updates come with an unnerving frequency and dedicated hackers find new exploits all the time, the test is of value but that value can be seen as limited. The more you test, the more secure you will be.