When is penetration testing required?

You have developed an application (in-house or outsourced), purchased an application (commercial off the shelf product), or purchased a software as a service (SaaS) and have concerns or compliance requirements regarding the security of the application or data stored. These concerns can be broadly categorised, in that an adversary or malicious user could:

• exploit the application to gain access to the hosting infrastructure;
• exploit the application to manipulate the business logic and perform malicious actions;
• exploit the application to exfiltrate sensitive data;
• exploit the application to compromise user accounts; or
• disrupt the availability of the application or services provided.

These concerns carry a risk to the business such as the compromise of the internal network, a direct financial loss or indirect financial loss through the loss of customers, the loss of intellectual property, reputational damage, or legal and compliance repercussions.

Will penetration testing damage a system?

The penetration testing should be in a development, user acceptance, or testing environment. Penetration tests will involve sending the application large amounts of unexpected data which will result in unexpected behaviour. In our experience this is often a little overstated, and an experienced penetration testers will rarely cause issues that impact other users of the application. If you’re confident about the security of the application and have backups, then testing in production is also suitable.

How often should penetration testing be conducted?

This can depend on GRC requirements, but speaking from a technically standpoint, penetration tests should be conducted whenever substantial new functionality is added to the application. If there is a high security requirement for the application, then more regular penetration testing such as every year should be performed as attacks techniques, tools, payloads, and methodologies are continuously evolving.