12-November-2019, min readtime

Why a pentest doesn't give you a grip on security

We observe that the demand for pentesting is increasing. That's good news, because an increased focus on security is always a good thing. However, a misunderstanding we regularly encounter is that customers regard a pentest as the endpoint, after which they can check off the security of an application – whereas it should actually be the starting point for monitoring security throughout the entire lifecycle of an application. This is because a pentest provides no guarantee of security in the long term. It is a snapshot. If you don't understand that, you are running serious risks despite the pentest.

What is a pentest?

A pentest is an investigation in which a security specialist with a ‘hacker mindset’ uses all possible means and available information to discover how he can get inside an environment or application. The specialist also looks at the potential impact of such an attack. When the pentest is complete, you have a good picture of the security of the application. The next step is to resolve any vulnerabilities identified. Then, a new test is performed. This process is repeated until the environment is found to be secure.

At this point, attention often switches away from security. The environment has been tested and is safe according to the report. On to the next project, you might think. However, the development of the environment or application that has been tested doesn't end there. The very next day, developers may be working to make the application even better and faster. That also means that new vulnerabilities can arise. Perhaps a new testing environment is set up containing system information without being properly shielded from the internet. Or an online application is taken into use internally that contains vulnerabilities. All things that can compromise the security of your environment at a stroke.

Hackers are always looking for vulnerabilities

Of course, it is also possible that the developers and administrators of the applications and environments have studied security best practices. These ensure that new functionality is developed securely and new services are safely deployed. However, the hackers haven't gone away. They are constantly looking for vulnerabilities and new backdoors which they can exploit to undermine the security of an environment. It is true that there are frequent security updates by software vendors amongst others, but there is a time lapse between publicising the vulnerability and installing the patch. Which provides an opportunity for hackers to get inside your environment unnoticed.

All of this means that even after a pentest, you cannot assume that your application or environment is secure in the longer term. Unfortunately, conducting a new pentest each time you add a new function is not a realistic option in practice. A solution that would give you a much better grip on the security of your application would be to continuously perform security testing. The problem is, the costs involved mean this is not a feasible strategy either. However, there is a cost-effective solution; regular automated security scans. These are not as good at detecting specific vulnerabilities as a security tester, but they are much cheaper to perform.

Performing an automated security scan

An automated scan be performed every month, week, day or even every hour. In the event that your test environment can be accessed from the internet, it is likely that an automated scanner will detect the fact. In addition, you can augment a 'standard' automatic scanner with specific test cases for vulnerabilities found during earlier pentests. That way, you can prevent a vulnerability detected previously from finding its way back into the application.

At first sight, an automated security scan might not seem an ideal solution for getting a better grip on the security of your application or environment. Unfortunately it isn't if you are using only an automatic security scanning tool, because a drawback of automatic scanners is that they are relatively stupid. For instance, a scanner cannot distinguish between a test environment and a public website belonging to the customer. As a result, the same result is produced for both environments. It is up to the administrator to interpret which environment needs to be publicly accessible and which doesn't.

Marvin_: automated scanning with the expertise of a specialist

A solution for making your automated security scans smarter and interpreting the results correctly is Marvin_. This is a total solution in which an automated security scanner is configured by one of our security specialists. The results of the periodic security scans are first evaluated by the security specialist. This means that as an administrator, you are only shown relevant issues in your dashboard. All the false positives have already been filtered out. What's more, because the security specialist is aware of the latest vulnerabilities, you can be assured that they will quickly be found and resolved. This brings the security of your applications up to date, so putting your mind at rest even in the periods in between pentests.