Cybersecurity is a very large field, and it has contact with every other IT domain, and that’s what I personally like in it as it gives you an overview of ...
Performing a penetration test on your application is one of the best actions you can do to enhance its security. However, performing it at the wrong moments could impact your user’s experience or become inefficient. Therefore, when to do a penetration test?
A penetration test has to be performed in a test environment during the development phases. However, if the application is already developed and running in the production environment, performing a penetration test should be at the low web traffic hours.
Performing a penetration test against your application or your network should be a periodic task that needs to be included in your yearly planning. However, in some cases, a yearly penetration test is not enough to enhance the security of your system especially in the development or the implementation phases. Therefore, here is when you should perform a penetration test depending on your system situation.
The best moment to start making penetration testing against your application is at the development stages. Performing a security review should be done at each step of the development lifecycle. However, a penetration test could only be performed when we get a working app that can be tested.
Therefore, I highly recommend my clients to perform a penetration test at the end of the coding step where the app is working correctly and being verified in the test environment. This penetration test can also be part of the DAST process executed on the application and it will be a complementary job to find the deepest vulnerabilities in the app.
Once the application is implemented in the production environment another penetration test should be performed against the application and the environment where it is hosted.
What I have said until now for the application, remains valid for networks too. A penetration test should be performed at the end of the whole network being configured and correctly working. However, configuration security checks should be performed each time a new device is included in the network.
The test environment is the most favorable place to start performing penetration tests. In this environment, all techniques and attack scenarios could be executed against the application without fear of disturbing the clients. This is also applicable for a network implementation as performing a penetration test against the production network, may disturb the employees and in some cases stop the production.
As I first said, security reviews and checks should be performed at earlier stages of the implementation lifecycle. Architecture, Configuration, and many other network component security should be verified and discussed even before the implementation phase.
To be honest, this is the most difficult situation when we perform a penetration test as usually the application already receives high traffic and uses reel user’s data. It’s true that we take care of the client data and we don’t perform any actions that can change it. However, this reduces the number of tests that we can perform and the type of attacks scenarios that we can execute.
Performing a penetration test in this situation is sooner or later necessary. Therefore, there is no need to panic while doing it and all you need to do is to keep an eye on your production environment and take the necessary actions before starting the pentest, like making a data backup.
While performing a penetration test, a lot of tools might be used. Unfortunately, many of those tools can disturb the employees or the applications if they didn’t get used in the correct way. Moreover, some of those tools can disturb your production even if they get used correctly and I will give you some examples in the following paragraphs.
According to the cybersecurity best practices and standards, a penetration test should be performed at least twice a year. However, the more penetration tests you do the more secure the web application or the network will be.
You should know that just performing the penetration tests without fixing the issues detected is not a good idea and it is just a waste of money. Moreover, fixing the detected vulnerabilities and not performing a verification penetration test after it is also a waste of money.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
todayNovember 1, 2022
Blockchain technology was indeed built with security in mind. This means that it is supposed to be very secure compared to other technologies. However, Blockchain technology suffers from some weaknesses [...]