Pentesting is not the only route

When it comes to testing, most firms believe that penetration testing will suffice. This seeming obsession with pentesting – to the detriment of other areas of security testing – leaves businesses open to potentially serious breaches.

A pointer to why can be found in last year's DTI ISBS survey: 96 per cent of security breaches were wholly unrelated to penetration issues. Let's take a look at just a handful of the many key areas that companies overlook.

First, documents created for BS7799 certification are rarely checked for effectiveness or rigorously tested when preparing comprehensive security risk analysis and policies.

Second, firms don't test the developmental and operational approach, to ensure that security best practice is designed into the solution.

Also ignored is incorporating security testing into other forms of testing, rather than testing in isolation, as well as incorporating staff testing processes that minimise the potential risk.

Another error is not ensuring that test modes in applications and test materials do not allow unauthorised access to future live systems, as is ensuring that data is security-tested at all levels. Outsourcing, and the blurring of the definition of where the security perimeter lies, makes data more vulnerable than ever.

Dispelling the distorted view of where vulnerabilities lie involves approaching security testing from a more realistic perspective.

Don't be seduced by easy-to-implement pentesting. Undertaking risk analysis early in development projects provides a testing framework and prioritisation task list mechanism to identify which risks to tackle during testing.

Doing this allows the dual benefits of greater clarity of security concerns and a greater confidence that they are dealt with effectively.