tag:blogger.com,1999:blog-2397196717839865841.post7269170463308817627..comments2010-08-24T11:33:45.556+10:00Matthew Hacklinghttp://www.blogger.com/profile/12211732838162218259noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-2397196717839865841.post-68895340787155501942010-08-24T11:33:45.556+10:002010-08-24T11:33:45.556+10:00I am a firm believer that if anything, the role of the architect should be retained in house and the roles of penetration testers should be outsourced, if anything.<br /><br />Firstly - architects rely heavily on relationships with stakeholders and an understanding of the business environment, IT systems and applications as well as dependencies on legacy systems. This knowledge takes a very, very long time to acquire.<br /><br />Secondly - penetration testing is a constantly evolving field with a strong upkeep. These skills and the people it attracts need to be very well looked after and consistently trained. Most companies lack the training budget, patience or even just the time to provide this people the care they require.<br /><br />Thirdly - unless the pentest involves a whitebox methodology, then the pentester needs to be removed to maintain their independence in conducting a blackbox approach. If it is whitebox, then they can be supplied the data they needs regardless. Working inhouse removes that independence.<br /><br />Fourthly - depending on how busy your office environment is, your pentesters might not be left alone long enough to conduct a test. Have you ever tried doing a pentest with 5+ 1 hr meetings in a given day? Trust me, it isn&#39;t possible.<br /><br />These were my experiences in my last role. I was bought onboard to do pentesting but overtime as the demands of the role increased, found my role changing to that of an architect and almost a technical PM managing pentesters. <br /><br />- J.Jarrodhttp://www.blogger.com/profile/09705073585945953338noreply@blogger.com