Security and IT teams often see penetration tests as a negative. To solve this, we work collaboratively on every test, using it as a tool to keep you secure.
A cynical approach to penetration testing can lead to clients not getting the best results as they can subvert the process or switch off or isolate critical servers, or even completely remove them from scope.
This mindset can prove detrimental as an attacker would look to exploit any vulnerability they discover. The underlying issue appears to stem from a perceived lack of trust by IT and security teams. They fear they could be shown up by a damning report.
In reality, penetration testers have the same shared goal: to provide assurance that you don’t fall victim to an attack. So, how can we all work together to get the best results?
Work with and not against a penetration tester
First and foremost, the aim of any security testing is ensuring your attack surface is as secure as reasonably possible. Independent security testing provides a fresh perspective on your web applications and infrastructure environments. They're undertaken by skilled professionals who discover vulnerabilities every day that can often be overlooked.
At Informer, we always request a technical contact for every engagement. Which means we can work collaboratively to find every vulnerability and ensure the report doesn’t show the team in a bad light.
This dynamic and collaborative approach allows for fixes to be implemented quickly and efficiently.
Web environments are increasingly complex
Networks and web applications are highly complex environments which require months of work and resources to configure securely. While it seems that a penetration tester only has to find one flaw to compromise an asset, a security team has to patch and securely configure hundreds to thousands of different potential entry points.
This is the very reason why security testing is imperative. With such an expansive environment, it’s all to easy for vulnerabilities to be unknowingly introduce. To get a true understanding of an application’s security risk, having a single penetration every year is possibly not the best approach.
A penetration test should not be seen as a tick-box exercise. It should be utilised as best as possible to ensure the application is hardened and reviewed whenever a code change is made.
Penetration testing in an agile world
The current model of penetration testing does not account for agile development and ongoing deployment processes.
These modern development methodologies could introduce new bugs which will not be found until up to 12 months later when the next yearly penetration test takes place. Or even worse when an attacker picks it up.
If something critical is amiss, such as a missing Windows patch, often it is easier for the client to patch this system while we’re performing the engagement. It can then be reduced to an informational finding.
This in itself demonstrates that by working closely with your testing partner, you are empowered to make changes quickly, reducing risk and affect how this information is reported.
We are increasingly seeing penetration testing programmes adapting to agile with tests being requested based on major releases and product updates.
This approach is more aligned and robust than traditional annual testing, and when combined with on the fly fixes, it provides further assurance on reducing risk exposure.
Remember why you are testing
Stepping back from the testing itself, it’s worth reflecting on why you are testing in the first place. Cyber attacks are increasing in frequency and sophistication all the time, often making headline news.
In most instances, penetration tests should not be viewed as us vs them. We’re here to ensure that every known issue is discovered and every potential entry point is examined closely.
By having a robust security testing programme in place, and working collaboratively with your security partner, you will get the most benefits from the project. Giving the further benefit of keeping your CEO out of the front pages.