Getting Started with Security Testing A Practical Guide for Startups horuxsu, trump-dumpssu
A common misconception among startup founders is that cybercriminals won’t waste time on them, because they’re not big or well known enough yet.
But just because you are small doesn’t mean you’re not in the firing line . The size of a startup does not exempt it from cyber-attacks – that’s because hackers constantly scan the internet looking for flaws that they can exploit; one slip up, and your business can become front-page news, for the wrong reasons.
Fortunately, buyers are also becoming increasingly aware of the importance of cybersecurity and are commonly asking startups about the processes they use to secure their data – meaning cybersecurity is now becoming an important business enabler.
So if you’re a CTO thinking about ramping up your web or mobile apps’ cybersecurity posture, then you are already on the right track, but with so many options, where should you start?
To help you get going, we created this guide that covers the following crucial points:
Security testing is a broad term that refers to the process of checking a system, network, or piece of software for vulnerabilities that hackers and other threat actors can take advantage of. It can come in many forms, so in this article, we will explore two of its major components:
Penetration testing is a great way to find the most amount of weaknesses possible at a certain point in time, but you should consider how quickly you get alerted to new vulnerabilities after the pen testers have gone home (tip: not quickly enough, you’ll want a vulnerability scanner for that).
Vulnerability scanners also enable organizations to learn more about their security status before committing to more in-depth and usually more expensive manual tests. This is a no-brainer in many cases, as penetration testers will often start their tests by running the same automated tools. And you wouldn’t want to make it too easy for them, would you! 😉
Veracode’s State of Software Security Report revealed that 83% of the study sample, comprising 85,000 software applications used by 2,300 companies worldwide, had at least one security vulnerability discovered during an initial security test. Without the test, these flaws would have been released into production, making the software vulnerable to cyber attacks.
If, for this reason, you’ve decided to start security testing simply to find your weaknesses before the hackers do, then great. You’ve got the flexibility to decide your own requirements; skip ahead to the next section. Otherwise, other common reasons to perform security testing are:
Every company is unique, and for that reason, your risk will be unique to you. However, it can be hard to know what’s the right level of testing. You can use the following as a rough guide to what we see in the industry:
1. If you don’t store particularly sensitive data
For example, you might provide a website uptime monitoring tool and don’t store particularly sensitive data. Until you grow large enough to be targeted specifically, you probably only need to worry about indiscriminate hacks by those looking for easy pickings. If so, you’re more likely only to need automated vulnerability scans.
Focusing on any internet-exposed (or potentially exposed) systems like any remote access (VPNs, remote admin logins), firewalls, websites or applications, APIs, as well as systems that may find themselves online by accident (anything inside a cloud platform can too easily be put on the internet by accident).
2. If you store customer data
Maybe you’re a marketing data analysis platform, so you may face less threats from insiders and criminal gangs, but you certainly need to worry about customers accessing each other’s data or a general data breach. Or, for example, you have an app, but anyone can register for an account online, you will want to consider an “authenticated” penetration test from the perspective of a normal user – but maybe not from the perspective of an employee with limited back-end access. You’ll also want to make sure employee laptops are fully patched with the latest security updates.
3. If you’re offering a financial service
If you’re aFinTech startup moving money around, you will need to worry about malicious customers and even malicious employees – as well as cybercriminal gangs targeting you.
If so, you will want to consider continuous vulnerability assessment and regular full manual penetration tests from all these scenarios on top.
4. If you don’t have anything exposed to the internet
Maybe you don’t have anything exposed to the internet at all or don’t develop customer-facing applications – so your main attack surface is employee laptops and cloud services. In this case, automated vulnerability scanning of your own laptops makes the most sense, and you could consider a more aggressive type of penetration testing “known as red teaming” if you need additional assurance.
Ideally, before planning the security testing itself, you should consider what assets you have, both technical and informational, a process known as “asset management.”
A very simple example could be: “We have 70 employee laptops, use mostly cloud services, and have our customer data stored and backed up in Google Cloud Platform, and an app that allows both admin and customer access.
Our most important data is the data we store on behalf of customers, and our employee data in our HR systems.”. Thinking this through then helps you start to form the basis for scoping a test. For example:
It depends on the type of test! Clearly, the benefit of automated tests is they can be run as regularly as you want. While penetration tests are more costly to run frequently.
Performing routine vulnerability scanning at least once a month can help strengthen your IT infrastructure and is recommended by the National Cyber Security Centre (NCSC). This practice helps companies keep an eye on the never ending list of new threats; over 10,000 new vulnerabilities are reported every year. Aside from regular vulnerability scanning, it is also advisable to run scans every time system changes are made.
You can choose from several types of vulnerability scanners— network-based, agent-based, web application, and infrastructure. The choice depends on what assets you aim to protect.
Some classic examples of network scanners are Nessus and Qualys. Both are market leaders and provide a robust level of security and vulnerability coverage. A modern alternative that you could consider if you want a tool that is easy to get started with is Intruder .
This online vulnerability scanner has been specifically developed to be usable by non-security experts, while providing high-quality checks, as well as automatic scans for emerging threats.
Vulnerability assessment aims to automatically uncover as many security flaws as possible so these can be mitigated before threat actors can get to them. It also helps make penetration testing, which, in contrast, is a manual process, more efficient. In fact, as explained by the NCSC , “By taking care of the ‘low hanging fruit’ through regular vulnerability scanning, penetration testing engagements can more efficiently focus on complicated security issues that are better suited to a human.”
Pen testers mimic real-life cyber attackers, but unlike threat actors, they follow a predefined scope and do not abuse the organization’s assets and data. Compared to vulnerability scanning, they are much more likely to uncover complicated or high-impact business-layer weaknesses, such as manipulating product pricing, using a customer account to access another customer’s data, or pivoting from one initial weakness into full system control. The downside is that in comparison, it’s expensive, so when is the right time to run one?
Think along the key timelines of the risk assessment above, for example, after your product is developed but before you start taking on real customer data. Or after you hold some non-sensitive customer data, but before you start holding salary or health-related information.
Once you’re up and running, penetration testing should be performed after major changes, such as altering your authentication system, releasing a major new feature; or after 6-12 months of small changes (as each one, in theory, could accidentally introduce a weakness).
Again this depends on your risk level; if you’re moving money around even as often as every three months would be advisable (or more!), but if you’re on the lower end of the risk spectrum, once every 12 months is a commonly accepted schedule.
Several types of penetration testing exist. Penetration testing can look for security flaws in technology, such as in your external and internal networks as well as web applications. However, it can also find vulnerabilities in an organization’s human resources, such as in the case of social engineering.
The pen testing company you choose would depend on the type of assets you want to test, but other factors, such as certifications, price, and experience, should be considered as well.
Security testing is a critical cybersecurity process that aims to detect vulnerabilities in systems, software, networks, and applications. Its most common forms are vulnerability assessment and penetration testing, but the goal is always to address security flaws before malicious actors can exploit them.
Keep in mind that threat actors also perform routine security testing to look for any vulnerability they can abuse. One security flaw could be enough for them to launch large-scale cyber attacks. While this could be frightening, your company can stay better protected by performing cybersecurity tests regularly.
Implementing this strategy can be challenging, as there is no one-size-fits-all security testing solution. Small businesses may also hesitate to invest in an intangible product, especially one they may not fully understand because of all the technical jargon. Nowadays, many tools offer free trials, which present a great opportunity for small businesses to find the right solution before committing to a bigger investment.
If you’re in need of a modern, easy-to-use security testing solution, Intruder offers a 30-day free trial of their vulnerability assessment platform. Visit their website today to take it for a spin!