Every day there seems to be a new vulnerability or large-scale information security breach to read about. These constant reminders of cybersecurity’s importance are highly justified. But for large enterprises, which are offered multiple products and solutions to protect their systems from a growing variety of threats, it’s often difficult to determine where to start when it comes to boosting their cybersecurity confidence.

The Value of Penetration Testing

Surely a large enterprise needs to assess its weak spots and gaps before purchasing specific security products. Technically assessing systems and networks gives insight into what businesses actually need to best protect themselves. It also puts a stop to the bolting-on of the latest security product regardless of whether it is best for their systems. This need for technical assessment points to penetration testing.

Having penetration testers assess your systems can provide a comprehensive and prioritized view of what should be done to best protect them from the growing number of cyberthreats. Once penetration testing has exposed the gaps in security, the testers can make recommendations on how to close them.

In “Application Security Testing on Cloud and the Future of Penetration Testing,” Eitan Worcel articulated the value and skills of a pen tester: “Great pen testers have deep knowledge of operating systems, networking, scripting languages and more. They are also eager to learn new approaches and employ the new content that they learn in practice. They combine manual work with automated tools and conduct their testing in iterations, reviewing interim test results to build complicated attacks just like a cybercriminal would.”

How to Select the Right Pen Testing Provider

Having the required skills in house to carry out an effective penetration testing strategy would be a luxury for any enterprise. As a result, many turn to third-party providers. Knowing who to choose to carry out penetration testing can be tricky, however. Fortunately, industry standards may be beneficial because they act as a seal of quality and compliance; they can help you select the right penetration testing company for your needs.

In the U.K., for example, the CREST certifications “provide organizations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers.” Choosing a CREST-accredited penetration testing company would ensure a quality service.

The second step in selecting a penetration testing service provider would be to look at the bigger picture. Which of those accredited companies have the breadth of knowledge and services to help you fix the issues uncovered in the penetration testing phase?

A company equipped to provide the end-to-end security service — starting with penetration testing and identifying gaps — can advise and implement the correct solutions. Not only does this close those gaps, but it proactively ensures the company is prepared to fend off future attacks and threats.

This process should be cyclical. Regular penetration testing should be carried out periodically, but especially when new partners, technologies or tools are added to the mix. This way, pen testing can be an important and regular part of an organization’s information security risk management process.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today