Your business is up and running. Your first product is ready for release. But wait, have you verified its security with external penetration testing?
Fast forward a year, and you are happily getting on with day to day business. Business is growing, new systems are coming online, upgrades are being made to your product. But wait, when was the last time you checked your application and infrastructure with external penetration testing?
You’ve finally taken the first steps to digital transformation. The cloud is all set up, and you are ready to turn off the on-prem servers. But wait, do you really know that everything is secure? Have you verified your cloud’s security with third party penetration testing?
Third party penetration testing is one of the most potent software security tools available to your organisation, allowing you to verify that your newly developed application, new system, or entire network is secure.
What is penetration testing?
Penetration testing (also known as pentesting, or ethical hacking) is an assessment of an organisation’s security posture.
In external penetration testing, ethical hackers from outside your organisation will ‘hack’ into your systems (with your permission). The penetration testers carry out a simulated attack on the network, application, or system mimicking the attack methods used by cyber criminals in order to test the defences you have in place, and find any weaknesses that could compromise your security.
Penetration testing can be carried out on an application (software), or networks (infrastructure), including cloud infrastructure.
External penetration testing is a security best practice for organisations of all sizes, in all industries. For companies who develop applications of any type, software security testing through penetration testing is a must have.
Why is external penetration testing important?
Identify vulnerabilities in systems, infrastructure, and applications
Penetration testers will simulate the techniques used by hackers, providing an all-around picture of the real-world attack vectors facing the organisation, and whether there are any security vulnerabilities in systems, application configurations, and infrastructure.
Just some of the vulnerabilities that penetration testing will check for are:
- Weaknesses in infrastructure
- Vulnerabilities in the operating systems, services, and applications used across the organisation
- Incorrect system configurations
- Logic flaws in application processes
- Weak credentials
- Out of date systems and poor security processes
The penetration testing team will actively hunt for weaknesses, getting a full picture of the system in the test, and searching for new or unidentified vulnerabilities.
Provide risks for prioritisation
The penetration testing team will provide information about how easy it was to exploit the vulnerability, and a risk assessment of the potential impact should it be exploited by a malicious actor. This assessment in turn will enable those responsible for security to prioritise risks and create a plan for mitigation.
Provide verification of security for management
Third party penetration testing provides an impartial view of the organisation’s security posture which can be used to inform senior management about security risk, and provide evidence of how well the organisation is protected against cyber attack. In turn this will drive discussions about strategy and resources.
Meet industry and regulatory requirements
Many regulations and industry standards (including HIPPA, PCI DSS, and NIS) place responsibility on organisations to protect their data. Third party penetration testing is a recognised software security tool which allows organisations to demonstrate that they have done just that. Other frameworks such as the ISO 27001 framework actively require external penetration testing for certification.
As a further incentive, regulations such as the GDPR have the power to levy fines on organisations who don’t sufficiently protect their customer’s data. External penetration testing is therefore a way of preventing a breach, or providing evidence of security activity in the event of a data privacy breach.
Meet customer security expectations
Supply chain security is an area of increasing concern for many organisations. Customers are beginning to specify the security standards they expect from their suppliers in their contracts, including evidence of penetration testing, and a plan for external penetration testing going forward.
Promote secure development
External penetration testing is a key component of a secure software development lifecycle. Even the most conscientious of developers need validation from others that their code is secure. In addition as the application is updated and new functionalities are added, vulnerabilities can creep in.
Regular penetration testing will test the code for vulnerabilities, potentially identifying vulnerabilities the developers weren’t even aware of, and ensure that the overall application is secure.
When should organisations carry out external penetration testing?
The general guidance is that organisations should plan to conduct external penetration testing on a regular basis. “Regular” may mean different time frames for proprietary applications, purchased systems, and the wider infrastructure and network. Some of the variables that will feed into an external penetration testing programme include:
Recurring or annual routine penetration testing
External penetration testing is part of a technical systems audit, ensuring that all updates have been carried out, that new software has been applied correctly, that updates to your own applications have not compromised security, and so on.
If nothing has changed (and let’s face it, things always change), the basic timeline should be an annual security health check up. The cyber security landscape changes very quickly, and annual third party penetration testing will ensure that systems are validated against the most current of attack vendors, some of which may not have been around the previous year.
However there may be requirements to carry out external penetration testing more often. Regulations may instruct organisations to carry out testing more than annually. Or the organisation may decide that critical infrastructure should be tested more frequently. In those cases, there may be a rolling schedule of external penetration testing over the course of a year.
Before a new application is deployed
The timing for external penetration testing for new applications can be tricky. On the one hand, it is more cost effective and productive to carry out penetration testing before an application enters production. However, test too early and there will be too many changes to the application that will not be included in the scope of the test. However the rule of thumb is when there is a stable product, but that there is time to mitigate any major findings without delaying the launch.
When a new system or equipment is introduced to the network
Every new application, website, system, or service adds a new attack surface to the network. As a result, whenever a new system is added to the network, the network should be verified with external penetration testing to ensure that the new system does not introduce new vulnerabilities to the network.
When major changes are made to the network
A major change can include updating a specific system, a change in the architecture/ design of the network, carrying out a digital transformation to the cloud, updating firewall rules, and more. Each of these changes come with their own vulnerabilities, and upgrades to an existing system that has been tested many times over the years can also introduce new risks. Every new change to the network should be subjected to external penetration testing before the change is exposed to the internet.
Ultimately, if you are asking if now is the time for external penetration testing, then it probably is. External penetration testing is one of the most useful security tools at any organisation’s disposal as it verifies the organisation’s security posture, identifies risk for the organisation, and informs the information security programme.
Stay safe