The definitive top 5 pentesting must-know

Top 5 things you must absolutely know about pentesting — CyberForged

Good morning everybody!

Today we are going to deal with a less narrative and more listing type topic. Do you remember when a few days ago we talked about pentesting? (you can find it https://miguelangeldiazbautista.medium.com/the-controlled-failure-pentesting-project-blockers-and-the-art-cyberforged-7ee8c906ae23)

Pentesting is a testing process in which the system is subjected to predefined attacks that it is supposed to suffer in a real environment. We can take it as a kind of rehearsal of a play before the general public comes to see the real thing: First, we show it to theater experts, we see what they say and what they criticize, we solve it and then we go out to the general public and wait for that great ovation that we deserve.

Well, today we are going to try to summarize in 5 points the main aspects that you should take into account when you plan to pass a pentesting in a project.

Are you ready? Let’s get to it!

1. It takes time

Well, for a first point, it’s not bad: pentesting takes time. It’s logical, but it wouldn’t be the first time that we find a project manager complaining that a pentesting takes more than a week and he had committed to the customers to have the system ready on production yesterday.

Pentesting, besides being a really complex process, is a process that needs time for hackers to understand the functionalities of the system, learn how the system should react and how it reacts in reality, try to execute scripts to discover vulnerabilities, find out how to exploit those vulnerabilities…

We can think of it this way: You are presenting a completely new system to a team of “good” hackers, so they will need time to be able to figure out where your system is failing.

2. It is complex

Precisely, derived from the previous point, we get this one: Pentesting is a complex process. It is not a process where you can just “run” without looking around and without really understanding the system. Hackers must really understand what they have in their hands and they must be able to replicate unexpected behaviors in it.

It is no use if we, as Project Managers, have committed with clients to have the system ready in two days and we rush the hackers if the system is too complex. We may end up in a situation where hackers do not have enough time to really understand the system, and therefore overlook critical vulnerabilities that a “bad guy” hacker with time can really exploit.

3. It costs money

It seems like something we shouldn’t even mention, but within companies, the awareness of the services is often lost: Even if pentesting is something you have to go through in order to get a project into production, it will still cost money. In other words, just because you have this obligation does not mean that you will get it for free.

Within the project, a sum of money must be set aside to be able to pay for this service, whether it is an external or internal service.

4. Pentesting is only as good as the hackers who do it.

Compared to the previous ones it is a long title, but this may be one of the most important points in the whole list.

There are many companies on the market that offer pentesting services and will be more than willing to perform them. Of those companies, there will be some that will ask more money than others, more or less for the same service, or at least, it might seem that way within a written(or email) offer. But what should make us choose one or the other? Just the budget?

No, no, and thousand times no. Although the budget is important, it is much more important in this case the quality of the work of the company we are considering to perform the pentesting. This point is crucial since the usual thing is that cheap companies use ONLY automatic tools to be able to do many pentestings to different companies and thus to be able to earn more money. This is not what you want.

The perfect company is one that assures us that in addition to running automated tools, (which are only going to discover generic vulnerabilities) hackers will spend their time understanding and trying to break the system with advanced hacking techniques. We don’t want a single machine to analyze our system: we want a human to try to break it.

5. Don’t be afraid of what will be discovered

Something we have seen quite widespread within our world is the “fear” of some Project Managers or Product Owners to take their project for pentesting. This is probably because during the development of the project some quality standards have been overlooked and there is a fear that, during the pentesting, it will be discovered.

This may sound harsh, but it is true: No matter what is discovered in the pentesting process, it is better that it is discovered now and not when the project is already in production and a real hacker can attack our systems and steal our customer data or have any other impact on the operation.

We have to see pentesting not as something added at the end and external, but as part of our quality assurance as if it were at the same level as the development phase of our systems.

These are the 5 things you should know about pentesting, what do you think, do you have any comments? Leave it in the box below!

Thanks for reading

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Miguel Angel Diaz Bautista

Miguel Angel Diaz Bautista

A computer science engineer, with an extensive background in balancing cybersecurity with bussiness.