Is a thorough third-party penetration test ultimately the best way to determine whether our data store, which contains customer data and is made accessible to several Internet-facing Web apps, can’t be accessed improperly?
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
Hopefully your data store has been developed using a secure development framework such as Microsoft’s Security Development Lifecycle (SDL). Embedding secure practices into its design and development from the beginning will have helped to create a fairly robust application. However, despite secure coding practices and static code reviews, errors can still make it through to the final version. Even if these aren’t serious, the way in which the data store is deployed and configured, and the environment in which it is running may mean it is still vulnerable to attack.
A penetration test is essential to determine whether your data store can be compromised once it is live and accessible to anyone with an Internet connection. You may have a secure data store, but the network on which the data store sits should be protected by perimeter defenses such as firewalls, intrusion detection systems and antivirus gateways. It’s important to test that these devices are performing as intended and are effectively safeguarding the network. The interaction of multiple devices, services and functions can generate unanticipated weaknesses during system integration or deployment, which can often only be found by subjecting the system as a whole to a pen test.
These tests can also assess the trust relationships between services and see how access points to the data store standup to attempts to exploit them as well as the ability of network defenses to successfully detect and respond to the tests. As a penetration test mimics the role of a potential attacker, it is the most realistic of the security tests that you can perform. This is why a penetration test is a mandatory requirement for so many regulations and standards, such as PCI DSS and ISO 27001.
Even if pen testers fail to access your data store, you can’t be 100% sure it is completely secure. Many current attacks against well-known sites are preceded by sophisticated phishing attacks where key individuals are targeted to try and extract information that will help in accessing the application. By collecting a key user’s credentials, attackers don’t need to launch a traditional attack whereby they would try to take advantage of a potential vulnerability in either the application or the system it’s running on. Instead, they can simply access the data using the stolen credentials.
Given the likelihood today of this type of scenario, a thorough penetration test should encompass testing the organization’s defenses against spear phishing and other attacks using social engineering. If the pen testers can obtain information to access the data store from your employees or from social networking sites, then your overall information security needs reviewing and improving. Remember that it’s not just technology that provides security but people and processes, too.
This was first published in December 2011