Why Pen Testing Is Central to State's App Security
Fortify Co-Founder and Chief Scientist Brian Chess made a stir last year when he predicted -- incorrectly, so far -- that penetration testing would be a dead art in 2009. Among those who shrugged off the suggestion was Robert Maley, CISO for the Commonwealth of Pennsylvania.
In this Q&A, Maley -- a customer of Core Security Technologies -- explains how pen testing become an essential piece of his strategy to keep citizens' personal data out of enemy hands.
Describe the environment you are responsible for.
Maley: My environment includes roughly 47 state agencies, boards and commissions, which comprises about 77,000 employees, 80,000 endpoints and 5,000 servers that my office is ultimately responsible for. We have agencies with remote offices all across the state, at least 1,000 locations.
Then there are citizens who don't work for the state but regularly access your applications to pay bills and such?
Maley: You can pay taxes, get fishing and hunting licenses, renew driver's licenses, register to vote, basically get every service the government has to offer. There has been a long-standing drive for e-government services.
Given that you're processing cardholder data online, what have you had to do to meet the demands of PCI security compliance?
Maley: We don't store cardholder data here, but we do handle the transactions that are then passed on to the bank. This is where penetration testing is important. We use internal vulnerability scanning to find and mitigate vulnerabilities before bringing in an outside vendor for additional scanning. We've had a lot of success with this approach so far.
Describe how pen testing has been woven into your core security procedures.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Security
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
