Answer yes if your organisation conducts regular penetration tests of any applications or systems that it develops and remediates the findings. Please state how often penetration tests take place in the notes section.
What is the control?
Penetration testing involves trying to break into systems or applications, circumvent security controls, cripple applications, or otherwise breach applications or infrastructure using the same tools and techniques an attacker might.
Why should I have it?
Even when proactive security measures such as secure coding practices and scanning code for vulnerabilities are in place, penetration testing systems can reveal vulnerabilities that may have been missed or are only present when the scope is broadened to beyond what was being tested for. For example, an application may only be vulnerable due to something in the production infrastructure that wasn’t present during earlier pre-production testing.
Since penetration testing is usually performed by specialised and objective third parties, it can provide an additional layer of assurance to in-house assessments. Clients in particular like to request copies of the results of penetration tests (or have their own performed) as they can get objective results from a mutually trusted third party with the necessary level of expertise.
If the penetration testers are unable to break or break into the application, it provides assurance that it is sufficiently secure from most would-be attackers.
Your policies and processes around your software development life-cycle and/or your project delivery framework should include a requirement for any significant changes to existing applications (or altogether new applications) to be subjected to a penetration test.
Penetration tests should ideally be performed by objective third parties. In some cases, especially in very large organisations, it may be significantly more cost and time efficient to have an internal penetration testing (also known as red teaming) function, but tests performed by independent third parties should still be commissioned occasionally as validation.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing an SDLC that includes security best practice in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.