In today’s world, is penetration testing a must or just something that’s recommended? Taking a close look at the research of cybersecurity professionals and the results of a survey of technology companies, it seems that the former – necessity – is the clear winner. Both sources undoubtedly indicate that cybercrime is on the rise – the number of vulnerabilities is growing, and the people and mechanisms securing systems are overburdened. Considering the growing need to safeguard applications and infrastructure, what can pentesters contribute?
This short text is intended to share my opinion on whether penetration tests are valid for virtually any type of application (web, mobile, embedded), as well as infrastructure or cloud.
I have used industry jargon related to White & Black Hat Hackers in the title. Even though I have only mentioned two poles, it is worth noting that the cybersecurity industry enumerates as many as six hats (incidentally, the name refers to a western, yes – that genre of films in which Clint Eastwood played many epic roles). As a field of digital engineering, cybersecurity has strong war-military connotations. Just like war-military, the West resonates very well with the theme of war, life in the wild West, fast-paced plotting, shoot-outs, and highly polarised characters. Let’s cut to the chase, then.
The validity of pentesting before launch, let alone software testing, has been questioned many times in my almost 10-year career. The good news is such attitudes are becoming increasingly rare – and you may even hear the phrase I fully support: “my/your company can’t afford not to do pentest.” Leaving this stage out of testing can be very costly once a hacker has attacked.
Penetration testing is carried out by a cybersecurity specialist (White Hat Hacker) who performs a controlled (contractually agreed in advance) attack to assess the security features used on systems objectively. If your software is attacked by a person who is doing it illegally (Black Hat Hacker), then:
There is no end to the examples. However, before deciding to forgo penetration testing or outsource it to Black Hat Hacker, consider this question: is it worth it?
Here’s what I recommend: don’t wait around. Have your security testing done by specialists who will detect vulnerabilities in a controlled manner without exposing your systems to unnecessary risk and who can efficiently help you patch them.