I believe a professionally delivered security assessment knocks the socks off a classic penetration test (pentest) for value and cost effectiveness. But there are times when a pentest is more than adequate for a client's immediate needs. This is commonly the case when the client requires a quick "attacker's" evaluation of a semi-independent website - one partially or indirectly affiliated with their organization. From the client's perspective, this type of pentest represents an economic way to evaluate if the website requires a more detailed security review in the future. It's a stratagem obviously related to the "compelling event" security-budget release program.
展开▼