Commonwealth of Pennsylvania CISO Robert Maley explains how pen testing is essential to keep citizens’ personal data out of enemy hands. Maley: “A lot of Web-based apps are the target of cross-site scripting and. SQL injection attacks. Source code analysis is also a critical part of our CA2 process. We use internal vulnerability scanning to find and mitigate vulnerabilities before bringing in an outside vendor for additional scanning. An automated pen testing tool allows me to go through and review vulnerability scans and see in real time what kinds of weaknesses can be exploited. I don’t see that as something you can replace.”]