Andres Riancho, an Application and Cloud Security expert provides an insight on penetration testing and cyber defense.
Can you tell me in your opinion what are a few key areas of penetration testing companies need to know to help secure their digital perimeter?
Companies that are about to hire a penetration testing service need to focus on the following:
- Clearly define the assessment scope: Always perform penetration testing on the business-critical networks, applications and AWS accounts first. Then move on to the rest of the company resources. Knowing what is critical and what exists in your network is key.
- Professionals: Choose professionals, not companies. Big companies with big names might be attractive, but you want professionals with 5+ years of experience in your specific network, application and cloud to perform the assessment. Always ask the consulting firm to be explicit on the seniority of each individual assigned to your project, and if possible ask the consulting firm to disclose their names (linkedin is your friend after that).
- Periodic assessments: Business-critical resources need to be analyzed every 6 to 12 months, depending on the development team velocity and other changes that affect the overall environment.
- Focus on automation: Before hiring a consulting firm perform your own vulnerability assessments using automated tools. There are quite a few automated vulnerability scanners which provide easy to use SaaS services. Use them to perform automated weekly or nightly scans on your environment. Fix all critical, high and medium severity vulnerabilities before moving to the next state: penetration testing.
What are some uncommon things companies fail to consider when they’re looking to shore up their defense?
When companies start to grow it is pretty common to lose track of the IT inventory. Some areas of the company might be really good at going through the right process to create new applications, sites, etc. but others (in my experience) like marketing are going to create a new domain for a specific product, host the application at any random location, add an insecure CMS, pay for it with the manager’s corporate credit card and forget it exists. These sites are part of the company’s IT inventory and should be at least scanned for vulnerabilities in an automated way.
Smaller companies aren’t even doing automated vulnerability assessments to discover trivially exploitable issues.