You can’t assess risk without knowing what your vulnerabilities are. How do you ensure that vulnerabilities don’t slip through the cracks when your system or software is under development?  One way is to incorporate penetration testing into the Development Life Cycle (DLC).  The development life cycle is designed for and used by software developers and system administrators. Their primary focus is, and as it should be, functionality.  Often that means they might miss security vulnerabilities within the network or software.

How would you reduce the potential risk?

I’d recommend that you include the penetration testing team in every step of the DLC right from the start. And then follow my motto, “Test early and often.”  And our customers have found that a set of outside eyes can be extremely helpful in identifying vulnerabilities as they are introduced.

Where would the penetration testing effort start?

Immediately. The first step of the DLC is to identify the requirements of the system or software. As requirements are assessed, the pen test team can start building out threat models and profiles of what types of attackers would be a threat. Second, as planning begins for the system or service, so does the planning for the attack. Targeted attacks and security checks can take place all the way down the line to deployment. As a system or service is brought online, it is checked. Findings are immediately addressed, and the DLC moves on.

Frequently I see that people think that they should do the penetration testing at the end.  When that occurs, it can often result in a finding that brings down the house of cards. For example, one misconfiguration in a system setting could affect other system settings that depend upon it.  If you wait until the end, then correcting the configuration impacts all the other settings and you end up with a lot of rework or accepting the risk.

This is why you shouldn’t look at pen-testing along the way as something that slows you down. Rather by making it a routine part of the process throughout the life cycle you end up with a complete system that is more cyber resilient.

Being secure is no longer considered a luxury. It is a requirement for successful business operations. When it comes to system design and service, there is no substitute for human creativity and tenacity. While automated tools do offer a tremendous amount of help when it comes to security, the human creativity and tenacity associated with pen-testing are just as irreplaceable.