Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Not all hackers attacking companies are bad guys; some are being paid to do so by their target. In a service known as penetration testing, a security firm attempts to access or control a client’s systems in order to uncover weaknesses that could be exploited by a real attacker.

Certain types of businesses are legally required to undergo penetration tests, but many others are opting for them too, says Brian Holyfield, cofounder of Gotham Digital Science, a company based in New York that specializes in this service. Holyfield told Tom Simonite, Technology Review’s IT editor for hardware and software, that during some large jobs, Gotham deploys three of its hackers against a company for weeks at a time.

TR: Why is penetration testing needed? Couldn’t you just tell a company which vulnerabilities an attacker would look for?

Holyfield: We aren’t looking for standard vulnerabilities. Most of the time we’re looking for code-level vulnerabilities in custom applications. Everybody has Web apps now, and the reality is that the firewall does little to protect them.

What kinds of companies do you work with?

We work mainly with banking and finance, health care, and software vendors. All sites and systems that accept credit cards are expected to undertake testing if they make more than a certain number of transactions per year. But a lot of companies are not compelled to do this. The biggest market we’re serving is companies that provide software as a service. They are being asked by customers about what they are doing to ensure it is secure.

Are customers scared about volunteering to be hacked?

The first time anyone goes through this, there is a level of nervousness and even paranoia. We have to work to get them to put aside their egos and understand that it’s not an us-versus-them exercise; we’re not trying to make anyone look bad. When a “pen test” is over, clients are generally happy that we found the problem before the bad guy.

2 comments. Share your thoughts »

Credit: JR Rost

Tagged: Business, Business Impact, Securing Data

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me