Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>> the main benefit of a successful pentest is to achieve a change in culture

Is there much (any?) public evidence that this tends to happen after a successful pentest, though?

One of my friends used to be a pentester. He said (I paraphrase) "we go in, break stuff, write a report, go home".

What's the betting that in a company with poor security culture that the pentester's report might just end up locked in a safe?



I did a website for Visa a few years ago, and it required a pentest before launch. We tried to find a loophole to justify it not needing a pentest (because that would give us 3 more weeks to develop the site), but no luck. It was such a simple site with no database, but they required it to go through pentest anyways.

The pentest came back with some recommendations. Mostly to do with the use of HTTP headers. Absolutely we fixed them, and made damn sure that the next time we had a site to be pentested those unforced errors were not repeated.

So on a small scale, yes. Pentesting improved the way we developed websites. I don't know about how it affected the "culture". Visa has a really strong security culture already.


>> Pentesting improved the way we developed websites. I don't know about how it affected the "culture". Visa has a really strong security culture already.

So if the security culture is strong, the pentesters reports are read and implemented; if the security culture is weak-to-completely-non-existant, they'll likely be ignored?


> if the security culture is weak-to-completely-non-existant, they'll likely be ignored?

---->

> if the security culture is weak-to-completely-non-existant, they'll likely not even be budgeted or done.


I think you already answered your own question when emphasizing ‘public’ there.

Security isn’t fun, and at best a relief (when nothing is found). When a pentest was successful, as in, the tester got in you can be sure it’s kept under wraps.

So no, I don’t think there are many, if any public records. The fact that there is shame and status involved in not being completely air tight is a big driver of the persistent insecurity of the world at large.

Anonymized records would go a long way in achieving a shift to safety and awareness but as you can read here they are easily construed as stories of fiction.

Everyone likes talking about that growth hack that drove a 1000% revenue increase. No one wants to talk about the database hack that spilled thousands of client records out in the open.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: