Getting Started with Security Testing: A Practical Guide for Startups
A common misconception among startup founders is that cybercriminals won’t waste time on them, because they’re not big or well known enough yet. But just because you are small doesn’t mean you’re not in the firing line. The size of a startup does not exempt it from cyber attacks – that's because hackers constantly scan the internet looking for flaws that they can exploit, one slip up and your business can become front page news, for the wrong reasons.
Fortunately, buyers are also becoming increasingly aware of the importance of cyber security, and are commonly asking startups about the processes they use to secure their data - meaning cyber security is now becoming an important business enabler.
So if you're a CTO thinking about ramping up your web or mobile apps’ cybersecurity posture, then you are already on the right track, but with so many options, where should you start?
To help you get going, we created this guide that covers the following crucial points:
- Answering the question, “What is security testing?”
- Understanding the reasons to perform security testing
- Defining the scope of cyber security testing
- Knowing when to perform penetration testing
What Is Security Testing?
Security testing is a broad term that refers to the process of checking a system, network, or piece of software for vulnerabilities that hackers and other threat actors can take advantage of. It can come in many forms, so in this article we will explore two of its major components:
- Vulnerability Assessment: an automated security test using tools to scan your systems or applications for security issues. These tools are called “vulnerability scanners”, and they perform automated tests to uncover flaws within your applications or infrastructure. The types of flaws could be application-level weaknesses, cloud configuration issues, or simply surfacing software with missing security patches (one of the most common causes of cyber security breaches).
- Penetration Testing: Primarily a manual assessment by a cyber security expert (although it is usually supported by vulnerability scanning tools), as well as determining the extent by which threat actors can exploit vulnerabilities.
Penetration testing is a great way to find the most amount of weaknesses possible at a certain point in time, but you should consider how quickly you get alerted to new vulnerabilities after the pen testers have gone home (tip: not quickly enough, you’ll want a vulnerability scanner for that).
Vulnerability scanners also enable organisations to learn more about their security status before committing to more in-depth and usually more expensive manual tests. This is a no brainer in many cases, as penetration testers will often start their tests by running the same automated tools. And you wouldn’t want to make it too easy for them would you! ;)
Why Perform Security Testing?
Veracode’s State of Software Security Report revealed that 83% of the study sample, comprising 85,000 software applications used by 2,300 companies worldwide, had at least one security vulnerability discovered during an initial security test. Without the test, these flaws would have been released into production, making the software vulnerable to cyber attacks.
If for this reason you’ve decided to start security testing simply to find your weaknesses before the hackers do, then great. You’ve got flexibility to decide your own requirements, skip ahead to the next section. Otherwise, other common reasons to perform security testing are:
- Third-party or customer requests. If partners or customers have specifically requested that you perform security testing to ensure that their customer data remains safe from cyber attackers – you may have more stringent requirements. However there can still be room for interpretation. It’s very common that customers will require a “penetration test” – but they rarely specify what that means exactly.
- Compliance certifications and industry regulations. Many industry regulations or compliance certifications also require organizations to undergo regular security testing. Common examples include ISO 27001, PCI DSS, and SOC2. These standards specify the testing required in various levels of detail, but even the most specific doesn’t specify exactly how or what to test, as it depends on the scenario at hand. For this reason it’s often accepted that the company being tested is best placed to determine what level of security testing makes sense in their scenario. So you may find the guidance below is still useful in determining what and how to test.
Think about Strategy before Individual Security Tests
Risk Asessment: How much of a target are you?
Every company is unique, and for that reason your risk will be unique to you. However it can be hard to know what’s the right level of testing. You can use the following as a rough guide to what we see in the industry:
1. If you don't store particularly sensitive data
For example, you might provide a website uptime monitoring tool, and don’t store particularly sensitive data. Until you grow large enough to be targeted specifically, you probably only need to worry about indiscriminate hacks by those looking for easy pickings. If so, you’re more likely to only need automated vulnerability scans. Focusing on any internet-exposed (or potentially exposed) systems like any remote access (VPNs, remote admin logins), firewalls, websites or applications, APIs, as well as systems that may find themselves online by accident (anything inside a cloud platform can too easily be put on the internet by accident).
2. If you store customer data
Maybe you’re a marketing data analysis platform, so you may face less threats from insiders and criminal gangs, but certainly need to worry about customers accessing each other’s data, or a general data breach. Or, for example you have an app, but anyone can register for an account online, you will want to consider an “authenticated” penetration test, from the perspective of a normal user – but maybe not from the perspective of an employee with limited back-end access. You’ll also want to make sure employee laptops are fully patched with the latest security updates.
3. If you're offering a financial service
If you’re a FinTech startup moving money around, you will need to worry about malicious customers, and even malicious employees – as well as cyber criminal gangs targeting you. If so, you will want to consider continuous vulnerability assessment and regular full manual penetration tests from all these scenarios on top.
4. If you don’t have anything exposed to the internet
Maybe you don’t have anything exposed to the internet at all, or don’t develop customer facing applications – so your main attack surface is employee laptops and cloud services. In this case automated vulnerability scanning of your own laptops makes the most sense, and you could consider a more aggressive type of penetration testing “known as red teaming” if you need additional assurance.
What do you need to protect?
Ideally, before planning the security testing itself, you should consider what assets you have, both technical and informational, a process known as “asset management”.
A very simple example could be: “We have 70 employee laptops, use mostly cloud services, and have our customer data stored and backed up in Google Cloud Platform, and an app that allows both admin and customer access. Our most important data is the data we store on behalf of customers, and our employee data in our HR systems.”. Thinking this through then helps you start to form the basis for scoping a test. For example:
- Our HR system is a cloud service, so we simply ask them for their proof of security testing (and so don’t need to test them ourselves).
- What IP addresses do we have in Google Cloud, what domains registered (there are tools that can help with this ;)].
- Our engineers don’t download the production database, but do have access to our cloud systems, so their laptops and cloud & email accounts are also part of our attack surface.
How Often Should a Small Business Perform Security Testing?
It depends on the type of test! Clearly the benefit of automated tests is they can be run as regularly as you want. While penetration tests are more costly to run frequently.
Performing routine vulnerability scanning at least once a month can help strengthen your IT infrastructure, and is recommended by the National Cyber Security Centre (NCSC). This practice helps companies keep an eye on the never ending list of new threats; over 10,000 new vulnerabilities are reported every year.
Aside from regular vulnerability scanning, it is also advisable to run scans every time system changes are made. Knowing exactly how frequently to perform vulnerability scans can be tricky, so if you’re interested to learn more, we’ve written a more detailed article on that topic.
Types of Vulnerability Scanner
You can choose from several types of vulnerability scanners— network-based, agent-based, web application and infrastructure. The choice depends on what assets you aim to protect, although there are some guidelines to follow to help you select the most suitable vulnerability scanner for your company.
Some classic examples of network scanners are Nessus and Qualys. Both are market leaders and provide a robust level of security and vulnerability coverage. A modern alternative, that you could consider if you want a tool that is easy to get started with is Intruder. This online vulnerability scanner has been specifically developed to save small businesses time, while providing high-quality checks, as well as automatic scans for emerging threats.
What are the Benefits of Vulnerability Assessment?
Vulnerability assessment aims to automatically uncover as many security flaws as possible so these can be mitigated before threat actors can get to them. It also helps make penetration testing, which, in contrast, is a manual process, more efficient. In fact, as explained by the NCSC, “By taking care of the ‘low hanging fruit’ through regular vulnerability scanning, penetration testing engagements can more efficiently focus on complicated security issues that are better suited to a human.”
When to run a penetration test?
Pen testers mimic real-life cyber attackers, but unlike threat actors, they follow a predefined scope and do not abuse the organization’s assets and data. Compared to vulnerability scanning they are much more likely to uncover complicated or high impact business-layer weaknesses, such as manipulating product pricing, using a customer account to access another customer’s data, or pivoting from one initial weakness into full system control. The downside is that in comparison it’s expensive, so when is the right time to run one?
Think along the key timelines of the risk assessment above, for example after your product is developed, but before you start taking on real customer data. Or after you hold some non-sensitive customer data, but before you start holding salary, or health related information.
Once you’re up and running, penetration testing should be performed after major changes, such as altering your authentication system, releasing a major new feature; or after 6-12 months of small changes (as each one in theory could accidentally introduce a weakness). Again this depends on your risk level, if you’re moving money around even as often as every 3 months would be advisable (or more!), but if you’re on the lower end of the risk spectrum once every 12 months is a commonly accepted schedule.
Several types of penetration testing exist. Penetration testing can look for security flaws in technology, such as in your external and internal networks as well as web applications. However, it can also find vulnerabilities in an organization’s human resources, such as in the case of social engineering. The pen testing company you choose would depend on the type of assets you want to test, but other factors, such as certifications, price, and experience should be considered as well.
How to Scope a Penetration Test?
Penetration tests must always have a defined scope, to help the testers make the most of their time, and focus on key security concerns. A good penetration testing scope should answer the following questions:
- What assets are included, is it just specific IPs and domains to attack (e.g. only the testing environment), or could the testers target any production company systems, or even executive/engineering email accounts?
- Are there any specific objectives of the test or questions to answer? E.g. Subvert authorisation workflows. Corrupt company data. Use a regular employee access to gain access to restricted company data. Gain access to the build server and corrupt a release with a backdoor.
- Anything specifically not in scope, for example Denial of Service testing (simply overloading systems with traffic) – or physically sneaking into company offices.
Security testing is a critical cyber security process that aims to detect vulnerabilities in systems, software, networks, and applications. Its most common forms are vulnerability assessment and penetration testing, but the goal is always to address security flaws before malicious actors can exploit them.
Keep in mind that threat actors also perform routine security testing to look for any vulnerability they can abuse. One security flaw could be enough for them to launch large-scale cyber attacks. While this could be frightening, your company can stay better protected by performing cyber security tests regularly.
We understand that implementing this strategy can be challenging, as there is no one-size-fits-all security testing solution. Small businesses may also hesitate to invest in an intangible product, especially one they may not fully understand because of all the technical jargon. Nowadays, many tools offer free trials, which present a great opportunity for small businesses to find the right solution before committing to a bigger investment.
In line with our mission to make cyber security simple and easy, we hope that this guide in getting started with security testing helped you. Don’t hesitate to reach out to us if you have questions about vulnerability assessment and penetration testing!