Understanding why penetration testing is important for your business starts with the realization that even the most comprehensive security plan likely includes some blind spots. Pentesting allows us to identify security vulnerabilities from a hacker’s POV.
Ever heard of Guglielmo Marconi? In 1909, he won the Nobel Prize for inventing wireless telegraphy, which we now know as radio communication.
A lesser-known fact is that his system, purportedly a secure wireless technology, was also the target of one of the first hacks in history.
Nevil Maskelyne, a British magician and inventor with a sardonic sense of humor, interrupted the demonstration of the technology held by one of Marconi’s students. He hacked the system and changed the messages into some relatively rude poetry, embarrassing the inventor and downgrading his technology.
Maskelyne demonstrated the dangers of marketing a technology as secure without taking the appropriate measures to ensure that. It seems that more than a century later, many large tech companies have not learned a lesson from the Marconi-Maskelyne story.
Fortunately, today we have a procedure at our disposal that allows us to tackle this problem – a simulated attempt at breaking our demonstration at home so it doesn’t happen in public. The procedure is called penetration testing and it is the last piece of the puzzle in making your company’s security infrastructure airtight.
Let’s elaborate on some of the reasons why penetration testing is important for your business.
Reason #1: A cyber attack can have far-reaching consequences
We are all very cautious when it comes to safeguarding our possessions in the physical world, but when it comes to digital assets, the average user doesn’t give security much thought. They more or less assume their data is secured in a bulletproof vault, and no one could ever come to jeopardize it.
Trust is one of the cornerstones of every online business, and hardly anyone gives it a second thought…until that vault is breached. Suddenly, there’s a shift in awareness that usually produces a slew of negative consequences.
Once the customers lose trust in a digital product, they start looking toward the competition and this death spiral usually leaves businesses with fewer users, less revenue, and a severely damaged reputation.
And data leaks are not the only danger lurking in the digital realm. If you are online, you are a potential target for all sorts of exploits. For instance, a well-placed DoS or denial-of-service attack (temporarily disabling a service by flooding it with traffic) could take your business offline in seconds. In an environment run by the motto “99.9999% uptime or bust” not thinking in advance about such scenarios is a risk you should not be taking.
Recovering from the damage posed by cyber attacks is an uphill struggle that could take years, which is one of the reasons why penetration testing is important here. That shift in awareness needs to happen proactively rather than reactively. Users will assume that their data is secure, and it is the responsibility of business owners to justify that assumption ahead of time.
Reason #2: All code is potentially defective
You might think that you have great developers on your team who would never let anything like that happen to your system. And that might be true, but the road to security crises is usually paved with good intentions.
Let’s take a look at a typical digital product today.
- It is made up of hundreds of thousands of lines of code.
- The code written by your team usually makes up a lesser portion of it
- It lives in the cloud and runs 24/7.
- It’s developed and deployed in a fast-paced agile environment
- Mountains of private and confidential customer data are contained within
- It’s branded as secure by default.
It is the perfect breeding ground for disaster and another reason why penetration testing is important.
Hundreds upon hundreds of new Common Vulnerabilities and Exposures (CVEs) are discovered on a monthly basis – a stark reminder that extreme caution is better than extreme self-confidence. Especially so in the era of third-party dependencies, large systems, and constant availability.
What’s more, security is a word on everyone’s lips, but rarely given enough attention in practice.
“We’ll do it in the next sprint” or “Let’s just fix the high-priority issues” are sound bites that echo in the halls of tech companies around the world. The same goes for “We have features to ship, pronto”, which only increases the target area for all would-be hackers.
Getting new features out promptly reigns supreme for stakeholders and business owners. It’s almost an industry stereotype that security-related topics get relegated to the backlog time and again.
Reason #3: Hacking is a profitable business
There’s one big difference between Maskelyne and today’s hackers. As the late Kevin Mitnick, a computer security consultant and a convicted hacker, put it:
Hackers are breaking the systems for profit. Before, it was about intellectual curiosity and the pursuit of knowledge and thrill, and now hacking is big business.
KEVIN MITNICK COMPUTER SECURITY CONSULTANT, AUTHOR, AND CONVICTED HACKER
This very attitude is what underlies and motivates the booming business of cybercrime, and another reason why penetration testing is important for your business.
Back in 2013, Yahoo was hit by a cyberattack that exposed 3 billion customer records, sitting in collective memory as the largest data breach of all time. It was never fully disclosed what made such an attack possible, but Yahoo was not the only one, and similar news only became more prevalent in the last 10 years.
This shady industry shows no signs of slowing down any time soon. So what is to be done?
Why penetration testing is important for your business
When it comes to developing cybersecurity strategies, all the security controls, processes, docs, automated vulnerability scanners, security training, SAST, DAST, IAST, and SCA tools will only get you so far. In fact, green checks and neatly filled-in audit sheets might even instill a false sense of security and a certain casualness about how open your product is to malicious actors.
Of course, the processes and tools mentioned above have an important part to play. However, there’s something to be said about the old adage “If you can’t beat them, join them”. The only way to find out what a hacker would do is to have a hacker actually do it.
Enter penetration testing – a simulated attack with the express purpose of determining the security posture of a system by finding potential vulnerabilities.
Penetration testing, or pen testing for short, shouldn’t be treated as just another checkmark for passing a certain security gate.
When done by experienced pen testers with a deep insight into the business logic, penetration tests help you start to truly uncover how resilient you are to cyber threats.
The main reason why penetration testing is important is that it can reveal areas that an internal security team may have overlooked or draw attention to security weaknesses that are much harder to detect from the inside.
Here are a couple of tips for getting the most out of pen testing:
Outsource it
In order to eliminate any blind spots or biases, it’s crucial to engage your own “ethical hackers” – a third party who will perform pen testing.
Promote open communication
Transparent communication between pen testers and the development team is crucial for success. Pentesting should be approached through a partnership since both teams share the goal of making the system more resilient.
Combine automated and manual testing
Skilled pen testers will always use a combination of automated scanners and manual testing to detect potential threats. Automated tools are good for broad coverage but perform poorly at the nitty-gritty level.
Define your scope and priorities
Even though penetration testing might sound like a “no stone left unturned” kind of business, having too much on one’s plate might make it easier to miss some glaring issues. Go for multiple tests if your system is too complex to tackle in one go.
Don’t ignore post-testing care
Finding issues is only half the battle. Any penetration tester worth his salt will offer guidance and remediation strategies to help you make your system safer than they found it.
Test today, ask questions later
Cyber attacks are a reality, and the potential impact they can have on a business is not to be ignored. Due to its ability to anticipate attacks rather than wait for them to occur, regular penetration testing should never be disregarded in security initiatives. It may not be the first step toward a safer product, but it’s certainly a crucial one for determining your security posture.
Whether you are launching a new product, heavily upgrading or rebuilding your system, certifying your business, or even recovering from an attempted attack, penetration testing is a way of getting information on how soundly you can sleep at night. It will help lower the risks your business is potentially exposed to, support fast-paced development, and keep the predators at bay.
If you want to learn more about how you can get there, feel free to reach out to our security team.
