Penetration testing: a how-to guide for enterprises
A new approach to traditional challenges
Penetration testing is the cornerstone of any cyber security strategy, yet enterprises often don’t get an optimal outcome from their pen test engagements. In this blog I’ll be looking at the three main reasons behind this, and also suggesting an alternative way of working that could vastly improve security outcomes whilst also increasing business value.
Understanding complex enterprise challenges
The first issue is the technical complexity of the infrastructure underpinning enterprise operations. Enterprise IT infrastructure is all too often a sprawling and chaotic mix, thanks to a history of legacy equipment, acquisitions, fast growth and now not only hybrid environments but also multi cloud workloads. This makes it difficult for a pen test provider to understand the big-picture of your technical landscape, which hinders the planning and execution of a test for customers, often leading to isolated testing. For example, the deep technical complexity can prevent proper planning and clarity, meaning the pen tester’s focus is dictated by budget, not by security objective. This is often also because the business looks at each project as an isolated security risk, or are not even thinking about that at all, and so it becomes just part of a project checklist.
Next is the issue of finding a reputable and reliable penetration testing provider that an enterprise can trust. Crucially, the provider should focus on delivering an innovative service that adds value compared to a standard test. But with so many security providers in the marketplace, and pen tests starting to become commoditised, what should you really look for in a provider?
Solutions to improve your testing outcomes
So now we can sum up the 3 answers to the challenges. You should find a pen test partner who:
- Shows an understanding of enterprise IT challenges
- Demonstrates expertise, insight and passion
- Asks questions about the strategic aims underpinning the test
A new way to approach pen tests
Traditional pen test schemes can struggle to integrate smoothly with modern IT methodologies, such as agile software development and devops practices. This creates inefficiencies in testing and security oversights, lowering a pen test’s value and often giving a false sense of security. To avoid security risks and prevent data breaches, enterprises need to change the way their penetration testing projects are procured and run in the modern age of computing.
Enterprises should take a holistic approach to security and run penetration tests as part of an overarching strategy. This means penetration tests should be objective-based and procured as part of a wider on-going security project. In the example of an agile software development lifecycle (SDLC), testing key sections of the application as they change rather than always trying to cover the whole application will make the test more robust and focused. If done well it can reveal if security flaws are a result of a particular developer’s bad habits or from a poor coding culture. Addressing these issues directly will drastically increase the security of the application as pen testing becomes part of the SDLC. The best approach is to make sure pen testing is part of the early stages of development, saving time and money remediating further down the line, reducing developers getting blocked and frustrated by security. Key to this success is forming a close relationship with a trusted penetration testing provider, rather than splitting tests across multiple providers on an ‘as and when’ basis or to the cheapest quote for that particular test.
Building penetration testing into a unified security solution
No security service exists in isolation and there are synergistic services that can accompany penetration testing to have a transformational effect on enterprise security. Linking penetration test results to an asset management system transforms pen test results into threat intelligence, giving enterprises extra security insight and making remediation quicker and more effective. Penetration test results should be considered part of an organisation’s whole threat profile, with results analysed in the same place as analyst events, VA scan results and compliance tracking. This ‘single pane of glass’ approach gives an aerial view of an organisation’s security posture, making it easier and more cost-effective to prioritise and combat security threats.
Summary: a smarter way to manage your security scanning strategy
Even when the primary business driver for booking a test is a box-tick from a compliance or supply chain requirement, it’s vital for an organisation’s security teams that a good testing outcome is still achieved. As a result, enterprises frequently select a big-name vendor in the hope of securing a high-quality test, but what results instead is a cookie-cutter service that fails to truly meet business objectives. Preferably, enterprises should seek reputable suppliers who can show both technical and strategic understanding, as well as demonstrate an innovative approach. This will greatly improve the value penetration testing gives, and increase your organisation’s security in real terms.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.