Wow, just when I thought we had beat this topic to death, out comes Pete Herzog with a refreshing look at security and testing. The first thing you have to realize is that vulnerability and patch management only take you so far. This is sort of like the new firewall, while it provides some protection, it still leaves you feeling vulnerable and awake at night at 3am asking yourself if you're going to be the next RSA or Sony. Pete calls for a return of real penetration testing. The type of testing that is going to look deep into your environment, tie systems together, string up multiple small vulnerabilities, and tell you where your real problems are. The problem is that no one wants this type of testing. I think it’s this way for two reasons, they know you will find holes, and its cheaper to just run a vulnerability scan and limit scope to finding stuff that, in the end, doesn't really matter.
We would like to encourage all companies to do a couple of things. First, at a bare minimum run a vulnerability scan against your environment before a test. A growing number of our friends that do penetration testing are getting tired of finding ms08_067 vulnerabilities. Basically, you should do an in depth scan and a basic penetration test before you have a test that is at the level Pete is talking about.