Penetration testing (pen testing) is a critical aspect of product development—whether your product offering is a software solution or a hardware device, testing for security gaps and known/unknown vulnerabilities is crucial to protecting your customers’ data.
Perhaps you’re a startup founder with a development background or an entrepreneur with a knack for the technical. Whatever the case, here are 11 things you need to know about pen testing to ensure that your products/services are safe for cyber attackers.
1. Penetration testing is a process of finding security holes before malicious actors do.
Exploits are constantly being developed to capitalize on known and unknown vulnerabilities in the system. Malicious attacker use exploits to penetrate system for various purposes and intentions: financial reward, fame/notoriety, political gain, corporate espionage, and more.
2. Penetration testing is different from vulnerability scanning and assessment.
Vulnerability assessment—or the identification and ranking of existing vulnerabilities—comes before penetration testing. The latter is meant to exploit vulnerabilities and defeat the security features of the system’s components. In the past, vulnerability assessments were typically done quarterly while penetration tests were carried out annually. Both, however, should be done after significant system changes have occurred, and these days—the more often, the better.
3. Penetration testing is a one type of software testing focused on computer security.
Pen testers are essentially being paid to find security holes in computing systems—with significant accolades and recognition going to the person/team discovering previously unknown attacks utilizing so-called “zero day” exploits. Their challenge is determining how to access the system via unconventional ways, whereas software testers’ testing flow gauges the system according to how it should work.
4. Pen testing tools range from commercial enterprise software to free open source solutions.
An abundance of free, open source pen testing tools developed by the community or company-funded are available for download. In the latter case, firms will usually charge for customer support or offer a premium version of the tool for a price.
5. Common tools of the trade include Nmap, Nessus, and Metasploit.
A myriad of pen testing tools are available—but Nmap and Nessus are arguably the most popular for reconnaissance-based activities. Metasploit is another popular pen testing tool for cybersecurity information gathering, vulnerability scanning, exploitation and reporting, and more. For password-cracking, Brutus and RainbowCrack are both widely used.
6. Pen testing activities can be carried out both automatically and manually.
Automated tools have the advantage of speed, but manual pen tests are more effective at avoiding false positives, or non-vulnerabilities reported as vulnerabilities.
7. Pen testing can be accomplished from both inside and outside the organization.
Many vigilant enterprises run internal pen testing efforts as a sort of regular “audit” of corporate systems, with results cross-checked with external pen testers.
8. Two types of of pen testing exist: grey-box testing and black-box testing.
Grey-box testing is carried out with limited information regarding the structure of the system to be tested, while black-box testing is done without any knowledge of the system. In many cases, systems need to be tested through the lens of a normal user; in these cases, grey-box testing would be appropriate.
9. Pen testing is often required to adhere to compliance standards and regulations—especially when it comes to e-commerce functionality and online payments.
Adherence to PCI DSS—or the Payment Card Industry Data Security Standard—is mandated by the five major credit card companies. PCI DSS has strict security requirements for organizations that process, store, or transmits credit card data online, and in many cases—proof of periodic pen testing is required for certifying/validating a system.
10. Pen test processes allow for various attack vectors to be used against the same system.
Pen tests are effective at identifying ongoing security gaps because they combine various data points and vulnerability information across different systems to compromise a specific target.
11. Pen testing is often carried out after a security incident to determine its cause.
In order to facilitate forensic analysis, firms often use pen testing efforts to recreate attacks and replay the sequence of events. This gives them the necessary insights to improve the posture of the orgazation’s security chain.
2016 was a record year for data breach incidents, and cyber attackers aren’t slowing down in 2017. For this reason, pen testing should be an integral part of your product development strategy; without these security mechanisms in place, you could be placing your company—as well as your customers’—well-being at risk.