It is often assumed that the goal of security is simple – “be secure.” The truth is, there are many goals in security beyond just being secure. Security goals for a small financial institution may look very different than those of a hospital, where unencumbered access to patient data can mean life or death. But, no matter what type of company you reside in, when it comes to security, clarity on your specific goals is paramount.
When working with a team like ours it is important to get to the root of what you are looking to accomplish before you begin an engagement. Here are some things to consider:
- What type of data do you hold?
- What regulatory requirements are you required to meet?
- Are you looking at a single technology or your entire environment?
- Are you looking at infrastructure or applications or both?
- Is there a need for authenticated testing or will unauthenticated testing do?
Here is a simple example of goal clarity. We had a client come to us wanting an unauthenticated penetration test on an application. As we discussed the application it became apparent that the main components of concern were credit card data flow and PCI regulatory needs behind an authenticated login. Through further exploration we were able to clarify requirements to understand the various data flows in play and which flows would need to be evaluated. While many of the elements of the testing remained the same as originally scoped, the goal of this testing required a specific focus on elements that would have been out of scope in an unauthenticated test. Diving in on the specific security goals helped to set the plan for testing and fully meet the security goals for our client.
Take away – think about your security goals as precisely as possible and lay out your security testing plan with those goals in mind. We are here to help.