Regardless of your company’s maturity level, penetration testing should be conducted annually to understand the health of your applications.
Every spring, my family has an annual ritual of visiting our friendly primary care physician for our physical exams. Although it’s one of the last things my wife wants to do, these routine checkups are an important way to detect problems before they become more noticeable. During a physical, my doctor regularly checks for common ailments such as heart disease and diabetes, which affect millions of Americans, and very often makes recommendations for lifestyle, exercise, or diet changes to live a healthy life.
In the context of application security, I think of penetration tests as synonymous with an annual physical exam—they allow you to take important steps to understand the health of your applications and provide recommendations on how to improve your overall risk posture. With scheduled penetration testing, you can perform exploratory risk analysis and business logic testing, and mitigate business-critical vulnerabilities in your applications. Experienced penetration testing companies use a variety of sophisticated automated and manual testing methods, focusing on finding a comprehensive list of vulnerabilities.
A key driver for penetration testing is innovation—the need to keep up with the latest attacks, industry techniques, tools, and processes. Best-in-class penetration testing continuously improves and updates its techniques, providing better testing at greater depth and covering commonly accepted security criteria such as OWASP Top 10 2017, OWASP API Security Top 10, MITRE Top 25 Most Dangerous Software Errors 2019, PCI DSS 3.2.1, and NIST 800-63.
It’s important that the tests focus on focus first on common security issues that attackers may exploit, such as weaknesses in authentication and access control enforcement, input validation and data encoding, configuration issues, and so on. We also recommend testing that explores business logic issues, including attacks outside a predefined list or that may not have been considered otherwise, such as business logic data validation, workflow bypass, and integrity checks. Finally, it’s important to remove false positives so you can focus on actionable steps to improve the health of your app with customized remediation strategies and guidance.
Here are some recommendations on the type of penetration testing companies should employ based on their maturity.
Beginner: At this stage, we recommend using external penetration testers. Experts bring a new set of experiences and skills with industry best practices to help ease you into the process. It’s important to ensure that the results from the tests get back to the engineering team. This can be done through established defect management or mitigation channels, and leverage existing systems (e.g., Slack, JIRA) to integrate remediation into developer workflows. Establishing this process is also a good first step toward setting up a software security group, which carries out and facilitates software security initiatives that help improve overall risk posture.
Intermediate: At this stage, it’s crucial to provide penetration testers access to all available information and artifacts such as source code, design documents, architecture analysis results, and code review results, as well as cloud environment and other deployment configuration information. This will enable testers to do deeper analysis and find problems throughout the secure software development life cycle (SSDLC). Further, it’s important to set up a testing cadence, especially for high-profile applications, to ensure yesterday’s software isn’t vulnerable to today’s attacks.
Advanced: For companies that have been using penetration testing as part of their software security initiatives for several years, we recommend using external penetration testers to perform deep-dive analysis, especially for critical projects. At this stage, it’s key to validate whether skilled penetration testers can break a system, and how test results can be used for designing, implementing, and hardening new systems. Finally, it’s vital to understand how penetration testing can be performed throughout the entire SSDLC using agile methodologies and paired with other application security methods such as threat modeling and architectural risk analysis.
Penetration testing is a low friction way to get started on your software security journey. Like an annual physical, a penetration test helps create a baseline of the health of your application, but it’s key to pair a penetration test with other methods such as static application security testing, software composition analysis, threat modeling, and architecture risk analysis to get a holistic view of the health of your applications.
Debrup Ghosh is a Senior Product Manager within the Synopsys Software Integrity Group. His prior experience includes working at Verizon to launch IoT products that brings together embedded IoT sensor data into a seamless user experience on web and mobile platforms. Debrup is the author of one patent that focuses on bringing together computer vision processing to aid federally mandated Driver Vehicle Inspection Report (DVIR), simplifying the life of millions of truck drivers in the United States. He holds an MBA from The University of California, Irvine, and takes great pride and honor in mentoring students at his alma mater.