(Recurring) pentests: a waste, or best practice?

By Maurits Mulders, Cybersecurity Engineer at Thales Netherlands

A pentest (short for penetration test) is a security assessment, to help find as many cyber vulnerabilities as possible. Usually done by white hat hackers (the ethical kind), these tests give insight into how resilient your system actually is. When was the last time your external network was assessed by a pentest? Or your internal network? That custom-built application? And what about recurring pentests every year? Is performing recurring pentests is a waste of time, or a best practice?

Within an agreed-upon time frame and a dedicated scope, white hat hackers will use everything in their capabilities to gain access to their appointed system/network/application. Security flaws identified are shared with the respective client, so that these can be resolved and the system, network or application will become a lot more secure. With the increasing amount of security attacks (there’s a hacker attack every 39 seconds), you could argue that a pentest should be obligated for every company and every system/application that is connected to the internet. Unfortunately, the risks are usually not the main motivator: if pentests are done at all, it is usually because of compliance regulations or a leftover budget at the end of the year. But when done structurally, for the right reasons, pentests are an invaluable asset to your future business goals.

Test before you release 

Let us take a look at web applications, such as Linkedin or Gmail. These are adjusted on a regular basis: functionalities get added or are adjusted every few days, and the code changes regularly. These adjustments could bring security vulnerabilities to the structure of the application. And what about new vulnerabilities that are released? Of course, these particular web applications are well protected and regularly tested. But what about yours? Do you have a dedicated team/service that give you a heads-up in case a vulnerability is found in your systems? 

One of our industry best practices is to execute a pentest right before a major release gets published to the public, or to at least do so once a year. With this approach your web application will be much safer, since vulnerabilities are often released when deploying new functionalities, or soon after. When having recurring pentests executed by a dedicated team, these findings will be detected – and fixed! – as quickly as possible. 

Another advantage of pentesting is that because the pentest team you hire does this type of assignments often, they are experienced in finding vulnerabilities, saving you valuable time and resources! Moreover, during the debriefing session, your development team will be educated on why certain vulnerabilities were there. This will increase the awareness of your team and will lower the chance of having new vulnerabilities during next development cycle, increasing the resilience of your application. 

Protecting your internal network

A different example of the value of pentests, is the scenario in which you are responsible for the (internal) network of your company. To find flaws in your network, you have decided to execute a pentest and resolve all the found findings. Now the same problem as previously described for the web application arises: when is the best time to repeat the pentest? Should you even repeat that pentest? And what about the costs?

Our advice is, again, to execute a pentest on the internal network of your company at least once per year or when major changes have been applied to the internal network of the company. With this approach, the newest vulnerabilities will be detected and the internal network will be safe. 

However, it is also advised to run automatic external scans on your network. This way, machines that are public-facing on the internet are scanned on a daily basis. With such an automated scan, you can find the newest vulnerabilities as quickly as possible and resolve them. This makes it harder for attackers to gain initial access into your company’s internal network via publicly-facing machines. 

Cost is always an argument to think of when protecting your system. However, also remember that a cyber-attack can costs your company hundreds of thousands of euros, if not more. A pentest, which will probably set you back a few thousand euros, is decidedly cheaper! Best practice, indeed.

To conclude: 

1. Pentests are very useful for finding security flaws as quickly as possible, so that you can patch your systems accordingly.
2. Ethical (white hat) hackers perform pentest often, which makes them specialized in finding vulnerabilities efficiently.
3. Resolving a vulnerability found during a pentest is way cheaper than rebuilding your network because of a cyber-attack.
4. Our pentesters always host a presentation on our findings at the end of session. This is mostly for the benefit of the technical employees within the client’s company, to explain and elaborate on the findings. This helps educate your developers/system administrators on how we look at your network and what type of vulnerabilities we found. Over time, your teams will become more and more efficient in making sure vulnerabilities will not be repeated. This will increase your resilience against cyber security incidents and will help the maturity of your development team.

Are you interested in recurring pentests, or in automated vulnerability scans? Contact the Red Team of Thales at cyberdefencesolutions@thalesgroup.com 

This service is proposed in many countries wordlwide as Netherlands !