Introduction

There is no doubt that in today’s world, Cyberattacks are a very real threat.  It does not matter which industry you are in, or how large or small your business might be, everybody is prone to it.  You may even think that you have the best lines of defenses ever possible, and that you are completely immune to it.  Well truth be told, you are not.  Even the most fortified of businesses can still be penetrated, and their IT Assets hijacked.

How can this happen, you may be asking?  It is quite possible that you may have left a backdoor accidentally open in your defense perimeter, or worst yet, there could have been one, or perhaps even a few, left open by your software development team when they created your application.  Or, the situation could be that you outsourced your code development to an outside third party, and they never tested the source code for any vulnerabilities or weaknesses before they released it.

This is where the role of Penetration Testing can be of great of benefit, in finding and quickly remediating those covert backdoors.

What Is Penetration Testing?

In more technical terms, Penetration Testing (aka Pen Testing) can be defined as follows:

“[It] is a simulated cyber-attack where professional ethical hackers break into corporate networks to find weaknesses … [in] your network, application, device, and/or physical security through the eyes of both a malicious actor and an experienced cybersecurity expert to discover weaknesses and identify areas where your security posture needs improvement.

“This testing doesn’t stop at simply discovering ways in which a criminal might gain unauthorized access to sensitive data or even take-over your systems for malicious purposes. It also simulates a real-world attack to determine how any defenses will fare and the possible magnitude of a breach.”

(SOURCES :  1 and 2).

One of the key words to take serious note here is that of “ethical”.  Yes, Pen Testers do have the mind like that of the Cyberattacker (or they could have been on themselves in a previous life but decided to turn over to the good side), but what they engage in is for the good of the client.

In other words, they will never step beyond the boundaries or the limits of what the customer wants.  If a Pen Tester feels that they need to, by the letter of the law, they have to ask for permission first from the customer and notify them in writing what they are planning to do.

Pen Testing is actually a lot more complex than what the definition actually depicts.  For example, various exercises can be conducted to see where weaknesses lie in just about any aspect of your IT and Network Infrastructure, which ranges all the way from both hardware to software applications.

Why You Need Penetration Testing In The Software Development Life Cycle (SDLC)

As previously mentioned, one of the primary sources in which a Cyberattacker can break through into your company are via the backdoors that are left in the source code of your applications.  Or the code itself may be weak in terms of security in different areas, because it has never been tested for that.

It is important to keep in mind that software developers are often under very serious time constraints to deliver the app on time and under budget, so testing for this kind of stuff is often forgotten.  This is where the role of Pen Testing comes into play.

Keep in mind that you should not wait until the very end of the development of the source code (especially just before it is expected to be released into production) to Pen Test it, rather it should be done at different stages throughout the Software Development Life Cycle  (SLDC).  Here is why this is so important:

  1. To stay one step ahead of the automated hacking tools:

Given that just about everything is accessible on the Internet these days, there is a plethora of online hacking tools that are available so that even the most amateur of hackers could potentially break into the source code of your software application.  By Pen Testing at different phases and continuing to do so even after the application has been released will more or less assure that it will not be vulnerable to these hacking tools.

  1. Vulnerabilities can be fixed on time:

Let’s face it, just about every product or service out there in the marketplace has some sort of security vulnerabilities and weaknesses in them, whether they are known or not.  But by testing the source code ahead of time, you will be able to address them as they come up and fix them before moving onto the next step of the SDLC.  This not only helps to ensure a much smoother transition to the production environment, but it will also help to deliver the project on time to the customer.  For example, if you wait until the very last minute to Pen Test the source code, and if a lot of vulnerabilities are found that need to be fixed, this will definitely push the delivery date by quite a bit, thus incurring extra expenses not only for the software development team, but for the customer as well.

  1. The detection of security vulnerabilities that may have already existed:

In the previous examples, we have examined the importance of Pen Testing at the different stages of the SDLC.  What happens if you depend on a third party to develop the source code you need, and they claim that they have tested it in terms of security and that all is “up to snuff”?  You take faith in their word and go ahead and deploy the application.  Well, this is a situation that you never want to be in.  If you are in this scenario, it is your responsibility to -make sure that the source code is tested thoroughly for any security gaps and weaknesses that may have already existed, and that are remediated before the actual application is launched.  It is also important that you keep Pen Testing this source code (as well as for other software applications that you may have) on a regular basis, so that any future vulnerabilities can be detected and patched up quickly.  By doing this, you are not only enforcing a proactive mindset with your IT Security Team, but you are also instilling a sense of a high level of confidence in your customers that you take protecting their Personal Identifiable Information (PII) very seriously.

  1. To help prepare for the worst-case scenario:

Just suppose that after all of this Pen Testing that you have done, that the software application in question has actually been hit by a Cyberattacker (as previously mentioned, there is no guarantee in anything).  Well, all is not completely lost.  By having done so many of these exercises, your IT Security Team will be able to respond to that threat and mitigate much quicker than if they have never practiced it before.  The result is a much-reduced downtime, and you will be able to bring back up your mission critical business processes in a much quicker timeframe.

  1. It will allow you to stay ahead in terms of compliance:

Given the ever changing dynamics of the Cyber Threat Landscape, pretty much all businesses are coming under the close eyes of government auditors to make sure that any customer data that they gather and retain come into compliance with such regulations as HIPAA, GDPR, the ISO 27001, PCI Data Security Standards, etc.  If an organization fails in any regard to this, stiff fines and penalties can be imposed.  But by conducting regular Pen Testing on the source code as it is in the various SDLC phases and after, that demonstrates to the auditors you are taking these various regulations very seriously, and that protection of customer information/data is of paramount importance.

Conclusions

Finally, as the diagram illustrates below, Pen Testing should be conducted after each and every phase of the SDLC, and one final exercise should be done just before it goes into production: