Re: 4 Penetration Testing Tips
I'll second that the dentist/doctor analogy is a perfect one. After all, if you're only looking to do the bare minimum, you might as well do it yourself, and save your money on the 3rd party firm (This part extends to the dentist analogy as well)! When you call in the dentist, you're looking for two things - routine, necessary care that you can't do yourself at home (penetration testing and things that required specialized analysis/horsepower), and specific issues that may have slipped through the cracks. sometimes the latter will include seemingly obvious stuff, and that's okay - just make sure you've done your due diligence first.
I do think that faster dev cycles and generally faster-paced business culture have a lot to do with these breaches and gaps in security. There are probably a lot of best practices that could improve how we work security into agile development (etc.) from the get-go, but it seems unlikely that we can ever reach old levels of deligence. After all, the whole idea of speeding up dev cycles and slashing red tape is that we were doing too much, right? And after all, there's some fairness to that. 3-4% for a company like target is huge, but is it really that much more than adding 10% or 20% to their dev time? Depends on your perspective.