Everyone hated tests at school, right? You work hard all year (debatable), put the effort in (sometimes), revise like your life depends on it (maybe) and what do you get in return? The opportunity to have your efforts ripped apart by some ‘expert’ examiner, that’s what.
Passing an exam felt more like a sense of relief rather than a sense of pride and the memories of those times are often enough to bring on a bout of sleepless nights. It’s no wonder many of us try to avoid any kind of formal assessment if we possibly can, especially when it’s to do with our work.
As a security testing provider, we understand the concerns that surround penetration testing and application developers, as well as IT professionals, can often be fearful that we are going to belittle their efforts or potentially show them up in front of management and/or the client. To call their baby ugly if you will.
But penetration testing isn’t here to undermine you or your work, it’s designed to help support your efforts, to help you work towards information security peace of mind, to make you look like superhero. Batman rather than a joker.
So, what would we say to those who feel slightly reluctant to hand over their hard work for testing?
- You’re not expected to be perfect (in everything)
We’ve conducted hundreds, if not thousands, of security tests over the years and it’s extremely rare that we don’t find any issue to report. Vulnerabilities happen, it’s a fact of development life and we know that you aren’t introducing vulnerabilities on purpose.
Your team are experts in a number of areas, our team are experts in information security. Together we’ll make one hell of a combo.
- Give yourself valuable time – Engage as early as possible
It can be tempting to put off security testing until the application/infrastructure is ‘ready to go’, but this can be a dangerous situation. What if you have agreed release date and a last-minute pen test uncovers a host of vulnerabilities? You’ll have to scramble to fix the issues quickly, delay the release or go live with risky vulnerabilities still in place. Either way, it’s not the best situation.
By engaging as early as possible, it helps flag vulnerabilities and gives you the necessary time to make remediation efforts.
- Take advantage of post-test support
Penetration test reports should provide you with the remediation advice you need to fix the issues uncovered, but that shouldn’t be the end.
As part of our post-test process, we encourage our clients to speak directly with the consultant who performed the test. This gives you the opportunity to ask questions, to gain their expert insight, to support your internal development team and to support discussions with external suppliers.
We can also support you with retesting, ensuring the issues uncovered have been understood and effective remediation efforts have been implemented.
- Testing needs to be an ongoing process
Information security, and the danger posed by malicious threats, is constantly evolving. What might be considered ‘secure’ today, may be vulnerable to attack tomorrow.
Security testing should therefore be undertaken on a regular basis and testing providers should be working with you to help you prioritise your ongoing efforts effectively.