Security certifications such as SOC2, ISO27001 are great for an overall assessment of your tech and data governance posture. However these certifications are somewhat subjective and do not reflect an organization’s ability to withstand external cyber attacks or breach risks. In a cloud hosted environment with growing Shadow IT, data breach increases dramatically.
Collaborative software development via shared codebases, data sharing on SaaS software, easily-configurable network settings by novices can easily expose vulnerabilities in an organization’s tech stack. A comprehensive security test has become table stakes for all organizations as part of their risk management strategy. The challenge many security, IT and compliance professionals face is which type of security test to employ for their organization.
Here we break down various types of security tests and ideas on how to think about what makes sense for your organization.
Types of security tests
Vulnerability scan
Automated test to identify known vulnerabilities based on pre-configured signatures.
Pros: Very fast-can even be done as a self-service
Cons: Custom code is hard to test with this method, only signature based gaps are flagged.
Static source code analysis
M/L based automated test to identify a specific set of vulnerabilities in source code.
Pros: Fast, easy to plug in and run.
Cons: Not very accurate in its current maturity level.
Source code audit
Manual review of source code to check for weaknesses in packages used.
Pros: Very reliable in identifying vulnerabilities & software design issues
Cons: Time intensive and expensive. Quality depends on the expertise of the individual/vendor conducting this.
Penetration test
Manual, in depth assessment for defined scopes.
Pros: Identify vulnerabilities. Very low false positives. Identify logic errors
Cons: Time intensive and expensive. Quality depends on the expertise of the individual/vendor conducting this.
To be more specific there are 2 basic types of Pen Tests:
- Blackbox: Minimal information provided to the tester. Source code not reviewed.
- Whitebox: Full network, configuration. Source code is reviewed
Factors in selecting a security test
Budget is the second most important factor in considering how you want to implement your security test. In-depth white box pen testing can cost upwards of $50k while an off-the-shelf vulnerability scan can be done for under $100. Cost should be weighed against some of the other aforementioned aspects of your company before deciding on what kind of testing makes sense.
Maturity of your tech stack is the most important driver in deciding how intrusive your test should be. At the minimum the following are basic housekeeping items that should be vetted immediately:
- Insecure setup or configuration of networks, hosts and devices. …
- Flaws in encryption and authentication.
- Code and command injection.
- Session management.
Size & location of the team is a good correlation to the amount of security gaps a firm might have. Larger teams generally will imply more in-depth testing is required. In the era of remote-first workplace, network vulnerability testing is important.
Outsourced development teams can create risks in the codebase that requires code vulnerability assessment tools as part of your software development release cycle.
The above are just some of the factors to consider. There are obviously a lot of different combinations of assessments that can be customized for individual needs. Another aspect of a security program that is more important than assessment is ongoing training for phishing and other technical areas.