Online apps and tools have become an integral part of how we live and work. If you own or run one of these systems, you will be aware of the constant threat of a cyberattack, and the risks this poses to your business. If you use cloud services you should also be aware of the assumptions you are making about the security of those services, or have a basis for trusting the security assertions the vendor is making.
Regular, pre-emptive penetration testing (or “pen-testing”) can mitigate these risks, provide knowledge and confidence, and improve the security and privacy posture of these applications, APIs, portals and other web services.
What is penetration testing?
- Pen-testing simulates cyberattacks against your systems in a controlled environment, based on globally-accepted testing standards that are applicable to the targets.
- Skilled and creative ethical or “white hat” hackers assess and report on the vulnerabilities and exploitability of the target systems, allowing system owners to understand and remediate weakness, ideally before attackers do.
Why is pen-testing important?
- If your website, web app or API handles sensitive or personally identifiable information from your customers, you will want to ensure that you are meeting your privacy obligations.
- If your organisation depends on a web service for its reputation, online sales, or otherwise for doing business, you will be keen to secure those business critical assets.
- If you depend on reliable sending and receiving of emails, you will want to be sure you have strong control over your domain assets.
- Developers and DevOps teams are very focused on functionality and time to market, and although they are typically aware of the need for strong security, it is difficult for these teams to have security as a primary consideration alongside all the other priorities, and it is also very difficult for these teams to be experts in all aspects of security, or to “mark their own homework”. Much like financial audits, independent, specialist eyes are essential to finding the holes and helping to improve secure development and configuration practices of the Dev and DevOps teams. Regular pen-tests help minimise attack and data breach risks, and can also lead to continuous improvement in internal practices.
- A pen-testing program is key to building trust with stakeholders and customers, and is also becoming central to the sales process for many modern, online businesses.
How do we build an effective pen-testing program?
- First, identify the assets you need to protect. This can include obvious assets, such as your website, web applications, e-commerce portals, web-based administration portals, remote access systems, other public IP addresses, and related services such as domains and DNS.
- Then, consider what impact a disruption to those services, or data breach from those services, might have on your organisation. This will help to quantify the risks associated with those assets, and to prioritise the assets (ie the targets) that should be in-scope for pen-testing.
- Also think about how regularly these targets are changing, in terms of both code and configuration, and in terms of the systems themselves and the infrastructure or services in which those systems are deployed. More rapidly changing targets are more risky, because changes can introduce vulnerabilities that didn’t exist during a previous pen-test.
- Think about how regularly pen-testing should be performed against each target. Most standards and frameworks require a minimum of annual pen-testing, but this should be considered a minimum rather than being sufficient for all targets. More critical or high risk targets should be tested quarterly, and after any significant changes, and we recommend a minimum of six-monthly testing for moderately critical systems.
- Check that you have representative, non-production copies of all systems that require comprehensive, standards-based pen-testing. Since pen-testing involves taking an “offensive” stance against those targets (ie simulating, often with some aggression, the steps that an attacker could take) it is very rare to perform full-depth pen-testing against live, production systems. On the other hand it is important, not least to get best value from a pen-testing engagement, that these non-production systems are as close as possible to their production equivalent systems in terms of source code, configuration and infrastructure.
- Consider pen-testing service providers who hold globally recognised certifications and credentials, operate according to widely accepted testing standards, offer high-quality engagement, communication, and outputs, and can provide efficient structures for an ongoing program of penetration testing for your assets.
Speak to us today about how penetration testing can benefit your business, and let us guide you though this process. Our team of expert pen testers can help you to strengthen the ongoing security of your online offering. We are highly experienced in a wide range of target types, including web applications, public and private networks (wired and wireless), global-scale e-commerce solutions, web APIs and SCADA solutions, to mention a few. We’d love the opportunity to hack you carefully before someone else does.