How often should you undertake web penetration testing?
So many businesses don't know what web penetration testing is and the vast majority have launched their website without taking this key step. Many who have taken steps to test the security vulnerabilities of their site are under the false impression that this is a one-off activity that never has to be repeated.
We regularly remind our clients that the web penetration tests you undertake today, won't be good enough for the lifetime of your website. Why - because hackers don't stand still. While security risks are identified and successfully plugged, you can rest assured that the relentless hacking fraternity will be hard at work identifying new loopholes and ways to gain unauthorised access to your website.
It's a continually evolving situation. So how often should you perform web penetration testing on your site? The basic answer is 'more than once', but the specific answer is slightly more complicated.
Relate to Risk & Impact of An Attack
One of the simplest ways to define your penetration-testing schedule is to look at the type of site you run and the risks and implications should an attack occur.
If your site is basic in nature and doesn't hold any customer data, then it won't need to be reviewed as often as a large-scale e-commerce site that holds sensitive customer data.
If you work in a particularly sensitive or high profile industry, where your competitors could seize upon the reputational damage of an attack, then you'll probably want to up the frequency. Similarly, if an attack on your site could be potentially newsworthy, the fear of the resulting negative publicity may also encourage you to perform penetration testing more often.
One recent news item grabbed our attention. Chrysler was forced to admit that their "Unconnect Dashboard" software was susceptible to Wireless attacks after security researchers gained remote access to it. The researchers were able to control the cars steering, transmission and brake functions, which resulted in Chrysler issuing a ‘virtual’ recall of over 1.4 million vehicles. It reminded us that web security and pen testing also applies to The Internet of Things (IoT).
As a minimum, we recommend that all our clients undertake web penetration testing twice a year. For those involved in the high-risk area of IoT, we’d suggest a far more regular approach to web pen testing!
Beyond setting a date in your diary for undertaking fresh web pen testing, it is also wise to consider undertaking pen tests based on specific events.
If you have updated your site, added some new functionality or integrated a third party plugin - it's worth considering whether now might not be a good time to perform some penetration testing activity.
Similarly, if you were using a specific content management system (CMS) such as Wordpress, Joomla or Drupal aligning your pen tests to coincide with their major updates would be an approach we'd recommend.
Being Open Source, these CMS’s are particularly vulnerable to attack, which is one of the reasons we favour our own Content Management System. It's closed source that denies any would-be hacker a shortcut to attacking Inspire CMS sites.
We’re not complacent though and undertake regular maintenance on our software and servers because we’re firm believers that "security through obscurity" is a dangerous philosophy to hold. Taking our security for granted is something that we’ll never do.
In the every changing and challenging World of cyber security, we see pen testing as a crucial means of staying as far ahead of the hackers as is reasonably possible.
Benefits of Frequent Testing
Through regular penetration testing, you are better positioned to capture the latest issues early, and close the timeframe between a threat being identified and a threat being dealt with.
A significant benefit of regularly performing web penetration testing is that it demonstrates your commitment to your clients and partners that you take the security of your website, your IT infrastructure and their data seriously. It shows that you are a proactive organisation, not a reactive one.
And it's this proactive approach that represents the most fundamental benefit to your own business. By putting in place a proper penetration testing plan you protect something very valuable to you - your reputation.
Conclusion + Recommendation
There are numerous variables at play when determining exactly how often you should undertake pen-testing activity. But our advice is clear; penetration testing is not a one-hit wonder. It's not too late to get your site tested, but it could be soon. Don't fall into the trap of thinking that it is.
If you're interested in understanding more about penetration testing and cyber security, in general, there are numerous helpful online resources and regular emails you can sign-up for. One of our favourites, which we recommend to all our clients, is the United States Computer Emergency Readiness Team alerts email.
If you need our help, we'll be happy to advise you on the best course of action for your specific situation. At Inspire, we don’t believe in one-size-fits-all solutions – especially when it comes to the security of your website.
For a free initial consultation, please contact Fraser McMillan on 01738 700 006 or get in touch through our web enquiry form.
This article was planned and written in advance of this weekends (01/08/2015) revelations about the Royal Bank of Scotland website being compromised. I know that RBS online security is ongoing but with their present difficulties this issue would've been likely caused due to reduced investment in ongoing penetration testing and is a real time example of this approach not being a one hit wonder.
David Dwyer is Managing Director of Inspire Web Development. He has years of experience in a range of web and IT roles plus seven years in sales and marketing in a blue-chip FMCG company. David’s academic and professional qualifications include a BA (Hons) in Business Economics (Personnel & Ergonomics) from the University of Paisley, an MSc in Information Technology (Systems) from Heriot-Watt University and PRINCE2 Practitioner-level certification. He is also an active member of the British Computer Society, Entrepreneurial Exchange and Business for Scotland.
Follow Inspire on Twitter @inspireltd and @developersos