Pen Testing: Timing is Everything

Posted inApplication Security, Cyber Security, Security

Penetration testing is an integral part of ensuring the security of your systems and applications. 

It is a form of ethical hacking, which we previously discussed in a three-article series. According to CodeDx, “A penetration test, or pen test, is a simulated attack against your web application. Previously, penetration testing was mostly performed on networks, rather than the applications running on those networks.

The purpose of a pen test is to identify vulnerabilities in your application exploitable from an outside attacker. Penetration testing can be performed against the various types of code and systems used in your application, such as APIs and servers.”

Now that you know what it is, the question then becomes, “When is the best time to do a pen test?”

Many companies do pen tests on existing applications, which is good and should be done annually. But companies often miss an opportunity when testing is done in prod. This is because you want to know that prod is safe. When you do a pen test, you will end up with a lot of tickets because the test will find weaknesses, that’s what it’s designed to do. So when you put an app in prod and THEN test it, you have to remember that this is a product that’s been out there with these weaknesses. You’ve already been exposed and potentially already been breached. The truth is you don’t know what those vulnerabilities may have led to when they were wide open.

When you are going to launch a major product or product iteration, you’ve done a major rewrite or code refactor, etc., you should do a pen test while you are still in staging, before you ever move to prod. Yes, pen tests are expensive and you probably don’t want to do 20 in a year, but any time a set of features results in a significant change in your system and could potentially create a significant change in your security patterns, it is recommended to do a pen test, preferably an external, white hat pen test. You want to have prod secure on day 1 not day 1001.

It is almost always better to do a white hat test than a black hat test. Doing a black hat test in prod for posterity or to see whether or not someone can get to you, if they don’t have any information on you or your company becomes meaningless. Many attacks involve insider information because people are easier to hack than machines. It’s much easier to pose as a potential hire and show up for an interview where you can ask questions of an employee to gain information about systems than to endlessly experiment. There are other traditional methodologies employed by con artists to get that information as well. Which is why white hat tests are better, they give you more information on what someone who is targeting you is likely to get into. Even if you’re simply doing an annual prod pen test to see where you might have vulnerabilities, white hat is the way to go.

Think about it. If someone out there is your worst case nightmare scenario and knows everything about you process, systems and business, they’ll know exactly where your weaknesses are. Doing a white hat test should leave you feeling confident that when those tickets are closed, you’ll have every known weakness resolved. And you can weather even the most targeted, well-funded attack.

Pen testing is incredibly important to do on a regular basis, but it is also important anytime there’s a major change to your product. Which is why, aside from doing annual checks on your applications, you should always test new features or anything that could change security protocols. Data breaches, ransomware, viruses, worms, insider threats, etc. are all potential problems for any business. It is essential to test apps to ensure they stay safe and secure.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY