Is Penetration Testing always the Answer to Secure Applications?

Endure Secure does not receive sponsorship for published blogs. Trusted, open-source standards are referenced as much as possible to avoid passing on vendor bias on information security topics.

Information Security has come a long way since I entered over 5 years ago. I remember how small the information security industry was, and how very few outside of the industry even knew what a penetration test was. I quickly joined a wave of information security evangelism, which in retrospect must have been pretty effective, considering how widely known penetration testing is today. These days I sometimes face a very different situation, where companies perform penetration testing for just about any change to their applications. But is penetration testing always the right approach to secure applications?

Firstly Some Background

Now penetration testing is nothing new, and nor is securing applications. However, over the last decade there has been an increasing focus on these areas, as securing your applications is now more important than ever. But there are multiple ways to achieve this, so why did penetration testing take off?

The short answer is that it’s sexy. Someone showing you how to hack into an application and tear it to shreds is a quick way to get your attention. When compared to old school source-code analysis, penetration testing demonstrated obvious value. But more importantly, it came alongside high-quality reporting of information, that even high-level executives can appreciate.

So What’s the Problem?

Reading that introduction, you’re probably more convinced that a penetration test is a good idea. But penetration testing has two main downsides:

1. Cost: Even a small, one-off penetration test is hard to get for less than $10,000. Larger one-off engagements can cost almost as much as a person’s salary for the year. While you can save money by purchasing penetration tests in packages, or hiring your own penetration testers, the nature of the engagement, and the heavy human involvement, keep the cost high. In fact if you’re paying less that the amount shown please double check that your not just getting a vulnerability scan.
   
2. Testing Fatigue: Something no penetration tester will admit to is the fatigue that comes with testing applications too frequently, or where very little change has occurred since the last engagement, this can demotivate penetration testers and hinder them from delivering the same quality of work.
   
3. Timing: Even if you don’t believe money and fatigue are issues for you, penetration tests often take weeks to complete.

Now the pros of penetration testing far outweigh the cons, but let’s take a look at the role of penetration testing within the wider application security context. There is a multitude of tools out there that can deliver results far more quickly than a penetration test and can provide quicker value. These tools can identify common vulnerabilities, and many have come a long way in terms of accuracy.

So When Should you get a Penetration Test?

Budget is the biggest deciding factor for this. If you’re a small business, you probably don’t have a budget for penetration testing. If you do, it’s probably just enough for an annual test, even if you’re a tech company. But even larger companies with larger budgets have to prioritise applications for testing due to the length it takes to complete. Consider the following to work out whether you need a penetration test or not.

1. Is the application critical for the business to succeed?
2. Is the application exposed to the internet?
3. Does the application store personal information (first names, surnames, credit card information)?

If your answer to any of these questions is “Yes”, then you definitely should get you application penetration tested periodically. A common question is whether an application being behind a WAF should be a consideration. While a WAF is important to have, it shouldn’t be a consideration for penetration testing. Instead, companies should follow the same questions for prioritising applications that need to be onboarded onto their WAF.

If you’re a small business, and you answer yes to question 1 or 3, I still urge you to prioritise annual penetration testing. The cost of dealing with a full-blown cyber-attack is easily high enough to wipe out a small business. Additionally, if you’re a tech company, having an application security program is essential, and can be done cost-effectively.

If you’re a large business, and you have applications that answer no to all of these, it’s still wise to get a penetration test against those applications, but as a lower priority than the rest. An application security program can help you secure applications across your business more quickly and cost effectively, addressing those lower-priority applications sooner.

Closing Thoughts

Regardless of your business size, penetration testing has it’s benefits. Whether you are testing everything unnecessarily, or can’t afford a penetration test, an application security program could be the answer. For more information on what an application security program entails, feel free to get in contact with us at https://endsec.au/contact/.