Most of us are aware that cybersecurity is increasingly important. So much so that Gartner estimates global cybersecurity spending now exceeds 839 million euro. Gartner CyberSecurity Ventures estimates that a business falls victim to an attack every 11 seconds. Work from home scenarios pushed by Covid19 have exacerbated risks, creating vulnerabilities with remote access, a wide-spread user-base, and employees accessing potentially sensitive data from their own, often unsecured computers. As a result, Pentesting, which helps you to identify and mitigate these risks, is more important than ever. Nearly everyone is aware of that.
While more organizations are pentesting for security than ever before, it can still be difficult to decide when and how you have to pentest. How much is enough? What’s a reasonable budget? And when are the most effective times to pentest?
While some of these answers depend on your organization, its risk profile, and number of users, the following article goes over the basics of what you might need. If you’d like a more professional and personal assessment, consider contacting us to ask for recommendations for your specific organization.
Why Conduct Regular Pentesting?
Determining when to pentest means deciding why you pentest. Many organizations still pentest for compliance. This means you’d pentest once a year, typically a few weeks before your compliance audit, and then not again until compliance needs came due again. There are plenty of other reasons you might want to run a pentest:
- Reduce the risk of automated hacking tools finding easily exploitable vulnerabilities
- Detecting and fixing vulnerabilities before human hackers do
- Determine vulnerabilities to resolve as part of a new software, website, or app version
- Enable ongoing security, new patches, etc.
- Protect customers and your business
- Ensure code is secure before it goes live
- Point developers to issues before developers publish new code
- Check for poor or ineffective security practices across your applications
- Measure the performance of security and preventative measures
- Document security weaknesses
- Reduce long-term costs by preventing breaches
When Should You Pentest Software and Applications?
In most cases, the best time to run a pentest is before new code goes live. This means pentesting applications, networks, and code before deployment or before it hits a live environment. That can mean extensive testing for some organizations. For example, if you routinely push updates using rapid release, like Facebook pushing updates every 2-3 hours, that can get expensive. You can target when major changes happen, plan to pentest then, and review everything else as part of other updates. The more often you push changes the harder it is to pull this off.
At the same time, when to pentest heavily depends on why you’re pentesting. The above schedule is ideal if your goal is to achieve a secure environment. It’s less so if you want to meet compliance.
Essentially, if you want to comply with a PCI DSS audit, you’d want to test once a year. If you want to ensure ongoing code security before updates or major feature launches, you’d want to schedule pentests as part of development.
Depending on budget that might be:
- At every critical stage of software development
- At key points of the agile development cycle, as chosen by developers
- Each time major changes are made to the application or code (e.g., before deployment, before the system goes live)
- When the system is no longer in a state of change
And, of course, budget should depend on your total risk profile, profit margins, etc.
Larger organizations, which have more risks, should consider pentesting more often. It’s not excessive to pentest once per quarter or more to ensure ongoing security. Smaller organizations likely want to be more careful with budget. Here, you might want to time updates with pentests, so that you pentest before every major code change.