Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

11) Does your organisation conduct regular penetration tests of any applications or systems that it develops?

August 30, 2022
Software Development
Web Application Pentest
Penetration Testing

Answer yes if your organisation conducts regular penetration tests of any applications or systems that it develops and remediates the findings. Please state how often penetration tests take place in the notes section.

What is the control?

Penetration testing involves trying to break into systems or applications, circumvent security controls, cripple applications, or otherwise breach applications or infrastructure using the same tools and techniques an attacker might.

Why should I have it?

Even when proactive security measures such as secure coding practices and scanning code for vulnerabilities are in place, penetration testing systems can reveal vulnerabilities that may have been missed or are only present when the scope is broadened to beyond what was being tested for. For example, an application may only be vulnerable due to something in the production infrastructure that wasn’t present during earlier pre-production testing.

Since penetration testing is usually performed by specialised and objective third parties, it can provide an additional layer of assurance to in-house assessments. Clients in particular like to request copies of the results of penetration tests (or have their own performed) as they can get objective results from a mutually trusted third party with the necessary level of expertise.

If the penetration testers are unable to break or break into the application, it provides assurance that it is sufficiently secure from most would-be attackers.

How to implement the control

Your policies and processes around your software development life-cycle and/or your project delivery framework should include a requirement for any significant changes to existing applications (or altogether new applications) to be subjected to a penetration test.

Penetration tests should ideally be performed by objective third parties. In some cases, especially in very large organisations, it may be significantly more cost and time efficient to have an internal penetration testing (also known as red teaming) function, but tests performed by independent third parties should still be commissioned occasionally as validation.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing an SDLC that includes security best practice in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.