Upon discovering that a well-known company has been hacked, the manager says: “Call the information security personnel! I want a Pentest! Pronto!”
(Pentest is a penetration test, we will explain it in more detail in another section).
This situation, although common, is very serious. However, it is not unusual in technology companies these days. The massive migration of business from the real to the virtual world means that not only the benefits have migrated, but also its problems.
Attacks in the digital world
Generally, in the physical world, a malicious agent needs to be present at the scene of the crime. In the virtual world, however, this agent can be anywhere. Therefore, it is natural that, along with the expansion of business to the digital space, comes the expansion of cybercrime.
In this scenario, companies that previously developed systems focused on the business rules of a specific business segment must now worry about the security of these systems. Moreover, they must worry not only about the security of the systems themselves, but all the security of the company itself and the development processes ass well, since any loophole can be used for a possible cyberattack.
It is common that, upon learning that their products may suffer attacks, management decides to take action. Usually, they start by calling information security personnel for a report. But there is a problem: who are the information security personnel?
Cybersecurity at company level
Depending on the size of the company and the level of maturity in the systems being developed, the security personnel either does not exist or are one or two people responsible for ensuring the safe development executed by a few hundred developers. When they are also not responsible for the security of the development and production environment of these applications, that is.
Companies cannot be blamed for this. Cybersecurity wasn’t such a big demand a couple of years ago, and now it’s become emergency. In addition, with the increase in demand, the value of such personnel has skyrocketed and they are rarer than unicorns in the market!
Another problem is that in the current security market, the Pentest buzzword has become guarantee of the security of a system. Truth is, it is not.
A Pentest (Penetration Test) is, simply put, a controlled attack attempt. That is, it allows areas of vulnerability not previously identified in the system to be discovered. Therefore, it is very important for the security cycle of any application.
However, it represents only part of that cycle. Before performing a Pentest, there is a multitude of other things that must be done.
Below, we describe some procedures that should precede a Pentest. Applying a full cybersecurity cycle can help raise the level of security of systems developed by your company.
1. Data security team
The first step is to have an information security team. Such personnel may be an internal team or not, but they must be qualified and in sufficient quantity to meet the demand.
One suggestion is: if the company does not have such personnel, it is good to start with an external body. If there is an interest in internalizing security processes, try to hire and train a team for this.
In this case, consider that this process will take time. Cybersecurity is a very broad and complex field of computing.
2. Vulnerability assessment
With a team formed, a vulnerability assessment/modeling should be done. This process can be long and must be repeated throughout the entire life cycle of a system, from development to after decommission.
How often this assessment should be carried out depends largely on the pace of development of the system and its degree of maturity.
Generally, systems that are very actively developing should be evaluated more frequently. More mature systems, in turn, can be tested more sporadically.
In this step, it may be interesting to use a method already in the market, such as LINDDUN, STRIDE, CVSS or PASTA. These models have proven effective when tested in several companies.
Creating your own model is complex and takes time to prove effective. At this point, it can present inconsistencies that will let through serious security holes until the model is properly tested and adequate.
3. Mitigation plan
Once a team has been assembled and the possible vulnerabilities have been mapped, a mitigation plan for the vulnerabilities and an action plan should be put together in case of successful or ongoing attacks. All of this falls on an information security governance team.
Development team training
Concurrently to these three initial processes, it is necessary to train developers so that they understand how to produce secure code and systems. There are several sources for this, but the most used are the good practices preached by OWASP.
OWASP, Open Web Application Security Project, is a non-profit foundation that seeks to improve software security through open-source projects spread around the world.
The project releases documents aimed at educating developers about the most relevant current risks in web applications, as well as good data protection practices.
Systems developed considering OWASP Top 10 Web Security Risks (one of these documents) already have an advantage in regards of security over systems that have not considered it.
In these cases, the interesting thing is that developers can add tests that verify that the developed system is in accordance with the recommendations of the OWASP Top 10 to the development process itself.
With all this in place, the execution of a Pentest begins to be interesting, as it will be the fine adjustment of the security measures already implemented both in the company and in the application to be tested.
The main tip of this article is that security is not something that is deployed in a system or in a company overnight. Security is more about culture than production. So, if your company or your project does not yet have this culture, it’s about time to plant the seed.
Are you interested in getting started or want to improve your company’s cybersecurity? Come talk to our experts. We have over 25 years of experience in the development of systems and have innovative and adaptable projects, always valuing information security in our solutions.