Everyone hated tests at school, right? You work hard all year (debatable), put the effort in (sometimes), revise like your life depends on it (maybe) and what do you get in return? The opportunity to have your efforts ripped apart by some βexpertβ examiner, thatβs what.Β Β
Passing an exam felt more like a sense of relief rather than a sense of pride and the memories of those times are often enough to bring on a bout of sleepless nights. Itβs no wonder many of us try to avoid any kind of formal assessment if we possibly can, especially when itβs to do with our work.Β
As a security testing provider, we understand the concerns that surround penetration testing and application developers, as well as IT professionals, can often be fearful that we are going to belittle their efforts or potentially show them up in front of management and/or the client. To call their baby ugly if you will.Β Β
ButΒ penetration testingΒ isnβt here to undermine you or your work, itβs designed to help support your efforts, to help you work towards information security peace of mind, to make you look like superhero. Batman rather than a joker.Β
So, what would we say to those who feel slightly reluctant to hand over their hard work for testing?Β
- Youβre not expected to be perfect (in everything)Β
Weβve conducted hundreds, if not thousands, of security tests over the years and itβs extremely rare that we donβt find any issue to report. Vulnerabilities happen, itβs a fact of development life and we know that you arenβt introducing vulnerabilities on purpose.Β Β
Your team are experts inΒ a number ofΒ areas, our team are experts in information security. Together weβll make one hell of a combo.Β Β
- Give yourself valuable time – Engage as early as possibleΒ
It can be tempting to put off security testing until the application/infrastructure is βready to goβ, but this can be a dangerous situation. What if you have agreed release date and a last-minute pen test uncovers a host of vulnerabilities? Youβll have to scramble to fix the issues quickly, delay the release or go live with risky vulnerabilities still in place. Either way, itβs not the best situation.Β
By engaging as early as possible, it helps flag vulnerabilities and gives you the necessary time to make remediation efforts.Β
- Take advantage of post-test supportΒ
Penetration test reports should provide you with the remediation advice you need to fix the issues uncovered, but that shouldnβt be the end.Β
As part of our post-test process, we encourage our clients to speak directly with the consultant who performed the test. This gives you the opportunity to ask questions, to gain their expert insight, to support your internal development team and to support discussions with external suppliers.Β
We can also support you with retesting, ensuring the issues uncovered have been understood and effective remediation efforts have been implemented.Β
- Testing needs to be an ongoing processΒ
Information security, and the danger posed by malicious threats, is constantly evolving. What might be considered βsecureβ today, may be vulnerable to attack tomorrow.Β
Security testing should therefore be undertaken on a regular basis and testing providers should be working with you to help youΒ prioritiseΒ your ongoing efforts effectively.Β
