This purpose of this article is to identify the People component of the solution.

Let’s look at the list of roles necessary to implement the process and structure described in the second article

This article is going to focus on how, in my view, the technology component of the solution should look like.

And again - I want to highlight that NO technology alone would be sufficient.

We need to get all three components right – process, technology and people.

This article is going to focus on what I believe is the first component of the solution – addressing the pentesting process and governance structure for sizeable pentesting programs (more than twenty pentests per year).

Many jurisdictions have made pentesting mandatory. Some even go as far as to make remediation mandatory as well!

And for many years the infosec community has been saying and writing that pentesting is broken. Google finds hundreds of articles on that and similar topics.

This article is about that. The next articles will be about the ways on how to fix it when running sizeable pentesting programs.

This will be a series of four articles. The intent is analyse the common problems for running pentesting programs, and come with recommendations what to do with them.