Security testing has now become a primary concern for both businesses in both the private and public sector and is highlighted by the significant budget now given over to this area of testing. The intention of this testing is to reveal flaws in security mechanisms and find any vulnerabilities or weaknesses in the numerous software applications that many businesses utilise on a day to day basis. Recent breaches of systems at numerous high profile organisations and with just under half (46%) of all UK businesses identifying at least one cyber security breach or attack in the last 12 months the need to ensure that your security testing is on point has never been greater.
In today’s world of Cyber Security often primary focus is given to the penetration element of testing and rightly so, penetration testing brings with it its own set of unique values to the delivery of not only new applications and processes but also those currently in situ. In this blog we will look at not only the value that this area of testing brings but also what any security test team and the wider business itself needs to remember in terms of getting the basics right.
There are a lot of different ways that penetration testing is described but more often than not it is heralded as a “Security Check”, but penetration testing doesn’t stop at simply uncovering weaknesses it then goes on to attempt to actively exploit those vulnerabilities in order to prove or disprove real world scenarios against a company’s software, networks, data, programs and computers.
But, while the above is true and while cyber security testing may involve use of automated tools and processes, the business should remember to focus on individual or team of testers, the experience they bring to the test, and the skills and wherewithal they leverage in the context of an active attack on a business
This should not be understated. Even businesses with enough financial muscle in bringing to bear highly automated, well-resourced, teams utilising high tech sophisticated counter-measure technologies are often vulnerable to the unique nature of the human mind, which can think laterally and outside of the box, can analyse and is usually armed with motive and determination.
There are numerous reasons why companies invest in penetration testing, these include:
• Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
• Identifying security weaknesses that may be difficult or impossible to detect with automated Security scanning software
• Enabling a business to assess the impact on business and operational areas of should an attack prove successful.
• Testing the ability of in situ defenders to successfully detect and respond to the attacks
• Providing evidence to support increased investments in security personnel and technology to Senior Management, Investors and Customers
• Meeting compliance, for example the banking industry requires both annual and ongoing penetration testing (after any system changes)
• Post security incident, a penetration test is often used to re-create the breach scenario, or else to validate that new security controls put in place will counter any similar attack in the future
As is apparent, there are many pertinent reasons penetration testing is conducted but in our experience we should not underestimate the role software testing professionals themselves play in looking at the whole picture when security testing – they can help ensure that we “get the basics right”. With the technical approach employed when using penetration testing it is sometimes forgotten that test professionals bring with them an in built approach to figuring out areas of an application that may be at risk, they have the ability to look at a piece of software or application holistically and identify the paths that attacker may take when trying infiltrate high value aspects of an application.
Having software testing professionals assume a degree of responsibility for cyber security testing basics and getting those basics right is important for two reasons. First, security of applications is of growing importance for pretty much all businesses with an element of risk in their day-to-day tasks as breaches continue to make the headlines the world over. Second, getting testers involved early and running the simplest of scenarios can help solve a problem that plagues organisation, namely ensuring that any potential breaches at picked off early and remedied without fuss and significant cost.
We are of course not saying that test professionals can take sole responsibility for application or software security given the need to perform detailed checks of code to ensure there are no intrinsic vulnerabilities but in getting the basics right in areas such as user interfaces, the APIs, the design characteristics, testers can play a lead role in security. Software testers tend to look at the wider view or big picture if you like.
Test professionals are accustomed to testing functional requirements — what the application or system can do. But it’s also crucial to consider what the application can’t do, so running basic checks such as as password lock out functionality become key in getting your basics right. Another example, which again may be deemed basic is around errors returned, you would not want an application to return an error message suggesting that for example a user id is invalid and then provide an example of what should be expected, basic, but potentially useful for an attacker.
In summary, when looking at your approach to security testing, you have to remember that it’s not all about the automated element but also engaging the human element, getting these basics right will ensure that whatever security testing approach you put in place will ensure that both basic and high level vulnerabilities are identified and remedied at the right time in a the delivery process.