Every day there seems to be a new vulnerability or large-scale information security breach to read about. These constant reminders of cybersecurity’s importance are highly justified. But for large enterprises, which are offered multiple products and solutions to protect their systems from a growing variety of threats, it’s often difficult to determine where to start when it comes to boosting their cybersecurity confidence.

The Value of Penetration Testing

Surely a large enterprise needs to assess its weak spots and gaps before purchasing specific security products. Technically assessing systems and networks gives insight into what businesses actually need to best protect themselves. It also puts a stop to the bolting-on of the latest security product regardless of whether it is best for their systems. This need for technical assessment points to penetration testing.

Having penetration testers assess your systems can provide a comprehensive and prioritized view of what should be done to best protect them from the growing number of cyberthreats. Once penetration testing has exposed the gaps in security, the testers can make recommendations on how to close them.

In “Application Security Testing on Cloud and the Future of Penetration Testing,” Eitan Worcel articulated the value and skills of a pen tester: “Great pen testers have deep knowledge of operating systems, networking, scripting languages and more. They are also eager to learn new approaches and employ the new content that they learn in practice. They combine manual work with automated tools and conduct their testing in iterations, reviewing interim test results to build complicated attacks just like a cybercriminal would.”

How to Select the Right Pen Testing Provider

Having the required skills in house to carry out an effective penetration testing strategy would be a luxury for any enterprise. As a result, many turn to third-party providers. Knowing who to choose to carry out penetration testing can be tricky, however. Fortunately, industry standards may be beneficial because they act as a seal of quality and compliance; they can help you select the right penetration testing company for your needs.

In the U.K., for example, the CREST certifications “provide organizations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers.” Choosing a CREST-accredited penetration testing company would ensure a quality service.

The second step in selecting a penetration testing service provider would be to look at the bigger picture. Which of those accredited companies have the breadth of knowledge and services to help you fix the issues uncovered in the penetration testing phase?

A company equipped to provide the end-to-end security service — starting with penetration testing and identifying gaps — can advise and implement the correct solutions. Not only does this close those gaps, but it proactively ensures the company is prepared to fend off future attacks and threats.

This process should be cyclical. Regular penetration testing should be carried out periodically, but especially when new partners, technologies or tools are added to the mix. This way, pen testing can be an important and regular part of an organization’s information security risk management process.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…