Some years ago this was a common question: should I conduct a pentest on my website? Today the real question is: how often should I conduct a pentest? This does not only apply to websites but more generally to all applications and software developed with web technologies. Although systems and servers also need security, in this article we will only focus on the application layer, which usually faces a lack of awareness regarding to its breaches.
What is a pentest for applications?
It is also called a penetration test or a web security audit. The goal is to hack your website or your web app with your agreement. It aims at finding all flaws in the application and exploit them before giving you a complete report about how to fix them.
A pentest is much more than an automated scan. Indeed real hackers will attack your app using automated tool but also manual attacks a robot cannot perform. Hackers need to be creative: they will find information about the application’s architecture and then conduct “tailor-made” attacks. Moreover attack techniques evolve more quickly than security norms, so it is important to hire up-to-date hackers.
Incident detection is complementary to pentests. A mix of preventive approach (pentests) and reparative approach (incident response) can be deployed to achieve a maximum-security level. This is especially relevant to companies processing highly sensitive data or content – they need to tend towards “zero risk” although this can never completely be achieved.
How often should you perform a pentest?
Of course, all companies will not get a similar answer to this question. Before planning pentests, it is necessary to evaluate the risks threatening your application. Obviously, the risks are very high for financial applications or ecommerce websites, so they need a maximum level of security.
But all applications actually face the risk of being hacked. Sometimes it is because of their market value (clients data, consumers data, health data, internal data interesting for the competitors…). Sometimes it is because of their image (brand image, political content, militant content…). Or sometimes it is just because taking control over a website is useful as a first step for conducting more sophisticated attacks (this applies to website which have low market or symbolic value from an attacker’s view but still get hacked).
In fact, pentests are useful to all web applications. But their frequency should be adjusted with the risks. For a highly sensitive application several pentests in one year are recommended. You should ideally perform pentests more often than required, in order to properly anticipate any trouble. For a less sensitive application it is recommended to perform a pentest at least for each new version or functionality release. You should ideally not wait until you get hacked because then the overall cost will be much higher. And it is sometimes difficult to evaluate the cost of a loss of image, a decrease in ranking, or a massive shift towards your competitors’ solutions…
Today many companies do hire ethical hackers once their website or software has been hacked. In a few years time, digital security awareness may change so much that most companies will be conducting regular pentests… So what will be the next big question?