For the last three decades, penetration testing has been perceived as an obscure and almost magical discipline usually performed by highly skilled and very secretive professionals within the information security community. To date, these professionals have rarely discussed their techniques and daily activities in a public forum.

This veil of secrecy surrounding penetration testing (also known as pen-testing) has made it challenging for organizations to comprehend exactly what it is and what it is used for. I feel pen-testing is the most accurate and effective way to adopt the role of an attacker in order to identify and understand information security risks. It is simply a must-have practice if you are serious about security. While pen-testing has not yet been widely adopted, we are now seeing more and more individuals and organizations embracing the practice for a myriad of reasons, including: new regulatory requirements, new business opportunities, unfulfilled risk management promises, organizational information security due diligence or simply professional, academic and research interest.

The Penetration Testing focus area at SecurityFocus offers us a unique opportunity. Through this community we will be able to bring together individuals to discuss, understand and enrich the body of penetration testing knowledge. We will be afforded the opportunity to improve the penetration testing practice as a whole and help establish new levels of professionalism that both the marketplace and the practitioners demand. To accomplish this goal we will need to engage in serious discussion regarding the technical, legal, ethical and business aspects of penetration testing. As a prerequisite to this discussion, however, we must overcome one important barrier: the lack of a common language in dealing with the issues of penetration testing.

SecurityFocus provides the information security community with an unprecedented and a much needed broad forum to openly discuss and present the penetration testing practice. It is up to us to take advantage of this opportunity and turn it into a productive and useful initiative for the general public. I gladly accept the challenge.

Ivan Arce Chief Technical Officer, Core Security Technologies