Pentester versus cyberthug. Who checks the security of your application better?

In today’s world, is penetration testing a must or just something that’s recommended? Taking a close look at the research of cybersecurity professionals and the results of a survey of technology companies, it seems that the former – necessity – is the clear winner. Both sources undoubtedly indicate that cybercrime is on the rise – the number of vulnerabilities is growing, and the people and mechanisms securing systems are overburdened. Considering the growing need to safeguard applications and infrastructure, what can pentesters contribute?

Penetration testing – why is it worthwhile?

This short text is intended to share my opinion on whether penetration tests are valid for virtually any type of application (web, mobile, embedded), as well as infrastructure or cloud.

I have used industry jargon related to White & Black Hat Hackers in the title. Even though I have only mentioned two poles, it is worth noting that the cybersecurity industry enumerates as many as six hats (incidentally, the name refers to a western, yes – that genre of films in which Clint Eastwood played many epic roles). As a field of digital engineering, cybersecurity has strong war-military connotations. Just like war-military, the West resonates very well with the theme of war, life in the wild West, fast-paced plotting, shoot-outs, and highly polarised characters. Let’s cut to the chase, then.

Pentester and cyberthug – who is more ‘costly’?

The validity of pentesting before launch, let alone software testing, has been questioned many times in my almost 10-year career. The good news is such attitudes are becoming increasingly rare – and you may even hear the phrase I fully support: “my/your company can’t afford not to do pentest.” Leaving this stage out of testing can be very costly once a hacker has attacked.

Penetration testing is carried out by a cybersecurity specialist (White Hat Hacker) who performs a controlled (contractually agreed in advance) attack to assess the security features used on systems objectively. If your software is attacked by a person who is doing it illegally (Black Hat Hacker), then:

•     There is a risk (and it often turns into reality) that our secrets, intellectual property, etc. (or in many cases, to put it bluntly, competitive advantages!) are available somewhere in the meanders of the Darknet (on the TOR network),
•     In the post-GDPR reality, companies that have anything to do with the processing of personal data (so, really all of them) are obliged to ensure exacting standards to protect these processes – there are very severe penalties for data leakage caused by an attack,
•     Cyberthugs are not bound to the test subject by any contract – there is no testing process, scope, or plan. Simply put: there is no control, but there is a lack of accountability for the activities performed,
•     Testing by Black Hat can turn out very wrong. For instance, infrastructure with a very high availability requirement (SLA) will be disabled for longer than the contract for said availability, which can incur contractual penalties that often would have quietly covered the budget for robust security testing.

There is no end to the examples. However, before deciding to forgo penetration testing or outsource it to Black Hat Hacker, consider this question: is it worth it?

Here’s what I recommend: don’t wait around. Have your security testing done by specialists who will detect vulnerabilities in a controlled manner without exposing your systems to unnecessary risk and who can efficiently help you patch them.

If you are interested in this article and are considering security testing your software, set up a free consultation with us. Krzysztof and his team have extensive experience in cybersecurity and will help you test your software before a cyberthug does.