Proving due diligence and compliance.
Whether the Security Assessment is driven by an audit requirement, due-diligence or a compelling event, it is highly likely that there will be a requirement for a third party to conduct the work. Furthermore, the findings and advice identified as a result of the work may need to satisfy internal or external auditors, the board or shareholders.
As such, it is clearly important that the style and content of the assessment, those performing the work and the deliverables (i.e. the reports) satisfy the technical requirements set down. Perhaps more importantly, they must also reflect a business understanding within the context of the project, and be able to present and articulate this to technical and non-technical target audiences.
The Security Assessment field is rapidly becoming an industry in its own right. Business demand has grown alongside the proliferation of information regarding vulnerabilities, their exploitation and remediation.
Corporate Internet presence has developed from simple, static brochure sites to increasingly complex interactive applications allowing potential customers and partners alike to delve into the data and systems at the heart of the enterprise.