As Penetration Testers (aka pentesters) we dig into the networks, applications, and devices of our clients. We dig deep to uncover security risks that stem from misconfigurations, software vulnerabilities, coding deficiencies, business logic flaws and more. Our job is to see the unseen, think like an attacker, and identify the opportunities that attackers will leverage to breach your security.
If you are one of the many organizations that doesn’t only manage your own internal IT, but also develops an application as, or part of, its business, you have an additional series of things to consider.
1. Developer Training. Are your developers trained properly? Did they have specific training on secure coding practices? Do they perform internal pre-testing? Do they understand the security frameworks they are expected to comply with? If not, put training in place.
2. Security Testing. Is the application regularly penetration tested? Many organizations are requiring this of their vendors and those that aren’t requiring it yet be soon.
3. Certifications. Has your organization taken steps to obtain certifications that will show your adherence to security best practices? Are you ISO, HIPAA, HITRUST certified? Do you want to be? Having these frameworks in place may help keep your security on track.
4. Secure Configurations. If the application will be used for a client organization internally (aka on-prem), are there specific configurations that need to be set for security compliance? Who will make sure these are in place? Have a plan.
5. SaaS Infrastructure. If the application is in the cloud, are you properly maintaining the infrastructure to meet the application’s security needs? What is the plan to ensure proper testing and configurations are in place? This is critical, so don’t be caught off guard.
If you are doing all of the above, good work! If not, give us a call, we can help.