Aside from the security testing not being what it really is (aka penetration tests which are vulnerability assessments, etc), we have a constant focus on what appears to be “controls” based security testing. These are essential and have many benefits, but restricting yourself to a controls only security testing strategy isn’t going to give you the full picture on if someone can really steal your secret sauce. In addition you should take a step back and a long hard look at the controls you have put in place, and remind yourself of why you did this in the first place. This “objective” based approach gives you a different take to the security assessment (steal this intellectual property from repository x), it helps validate your controls in the process, but more importantly gives you a great understanding of “can my secret sauce be stolen” vs “is my DLP solution working correctly”.
I have put a short video down below which briefly covers my thoughts on this.
