Is Penetration Testing Sufficient For A Security Audit?

Penetration testing may be one of the most popular practices in cybersecurity, but is it the same as a vulnerability assessment and is it comprehensive enough for your organization’s security workflow?

QuanHeng LimBy: QuanHeng Lim, Aug 16, 2019
TwitterFacebookLinkedIn

Penetration testing (‘Pentest’) is one of cybersecurity’s most well-known practices. Often referenced in popular culture, Penetration testing is so well-known that even those unfamiliar with cybersecurity would have heard of the practice.

Penetration testing is defined as an authorized cyberattack on a system, network, or application, for the purpose of discovering security vulnerabilities. The penetration tester attempts to compromise the security of the targets in scope using techniques that might be employed by a malicious actor.

Wrapping Our Heads Around Cybersecurity

Horangi began as the answer to two prevailing issues in the cybersecurity industry:

  1. By utilising efficiencies gained from process refinement and tooling, Horangi can meet the demand for cybersecurity services despite a shortage of cybersecurity talent
  2. Turning cybersecurity into a competitive advantage for fast-growing businesses

Our approach to pentesting involves a consideration of both issues. In dealing with a variety of organizations, we have observed that many organizations tend to implement cybersecurity in an undirected manner, misplacing priorities on known surfaces and systems, thus missing the forest for the trees. Organizations also tend to treat pentesting as a catch-all for cybersecurity (especially right before products or systems are deployed), when the integration of cybersecurity into the organizational culture is arguably more important.

Pentesting In The Software Development Life Cycle

Penetration testing is often performed after development of the feature set is completed, just when a User Acceptance Test might also be performed. It is often performed on staging or production environments, since security vulnerabilities are more relevant when a product or system is close to going live.

However, if penetration testing is the only security measure taken, some issues may arise:

Better security controls that could have been employed earlier are missed out, and security issues are identified later on in the development cycle. Subsequent modifications to a product or system may be prohibitively expensive, especially when it requires the addition of security specifications in functional requirements, the consideration of security during the architecture design phase, the periodic review of code while development is in progress, or the inclusion of security checks in intermediate builds.

Automation is key, especially with agile development cycles and fast-changing environments. This too can be shifted left with training and tooling. Results from Static Application Security Testing and Dynamic Application Security Testing can usually be easily verified by the development team and can be easily integrated to activate on periodically, or upon actions such as a merge request to a CI (Continuous Integration) branch or a new deployment. This frees up limited security resources and streamlines the mitigation process for issues that can be automatically picked up by scanners. Other than the Horangi suite of tools, there are several other open-source and commercial options to implement this, lowering the barrier to achieving a baseline level of security. Shifting left is needed to realize the full value of a penetration test.

Evaluating Risk and Focus Areas

If everything is “high priority”, nothing is. The lack of differentiated protection according to business needs, threats and risks is a problem that applies to penetration tests and enforcement of security controls. Having a business context removed from cybersecurity decisions results in higher costs of implementing cybersecurity, without adding appreciable value from the exercise. Similarly, if pentesting is done without sufficient consideration to the business context, threats and risks will not be accurately represented from the risk assessments or criticality results. The result of this is the loss of trust and credibility with cybersecurity providing meaningful value.

What this means is that an open channel for communication is needed from the other parts of the organization with this business context to ensure there is value gleaned from the pentest.

Perform Vulnerability Assessments With Penetration Tests

Pentesting may be a good way to kickstart cybersecurity initiatives for resource-strapped organizations, but it shouldn’t be the only form of defense implemented. Aside from pentesting, consider the following:

  • Performing periodic automated vulnerability assessments on your own to close the gaps between manual tests.
  • Ensuring threat modeling is done as part of the pentesting process, and business context is provided for an accurate risk assessment.
  • Threats within internal-facing systems are often underestimated, so don’t rule them out of the scope of work without careful consideration
  • A white box assessment, while broader and provides a perspective deeper than what a casual attacker would have, tends to be more comprehensive.

Closing Thoughts

Maximize the impact of your next pentest by scoping it strategically around your top business priorities. This way, you pay only for what you need and get maximum results that you can use to improve your security posture. How effective a penetration test is relies heavily on how well your development or deployment is integrated with automated security testing and how well the pentest report is aligned with business objectives.

QuanHeng Lim
By: QuanHeng Lim, Aug 16, 2019

Quanheng “Q” Lim is Director of CyberOps at Horangi.

TwitterFacebookLinkedIn