Web and mobile applications are at the core of most companies’ activities. Whether you’ve already deployed them or that they are still under development, some misconceptions about their security are still present, even though it is a crucial topic to conduct your business in good conditions.
Here are the 9 preconceived ideas that we most often encountered.
1. Hackers are only interested in web and mobile applications of large companies
This is an argument we hear very often. But unfortunately, this is not the thinking of the attackers. We can distinguish two main types of attacks: targeted attacks and non-targeted attacks. The latter will aim at all companies that use for example the same language, the same third-party components, those that have not patched a particular server vulnerability or simply those whose email addresses are in the attackers’ file.
In this type of non-targeted attack, the attackers use every opportunity available to them, regardless of the company’s size, sector of activity or turnover.
The web and mobile applications of large corporations are indeed more visible and therefore more exposed to these two types of attacks. However these companies are also generally more aware of the risks and much better equipped with the technical and human resources to counter attacks.
SMEs and startups are, for their part, attractive targets because they have usually less prepared their defenses, even though they have very interesting data or resources for attackers.
2. My developers are rockstars
The most skilled developers write clear, concise and bug-free code. Their job is to develop showcase sites, web or mobile applications that are high-performance, ergonomic and user-friendly, within increasingly tight deadlines. But they are generally not security experts. Developing a web platform or a mobile application and testing security flaws are very different approaches and jobs.
It is therefore important to carry out web penetration tests, to test and evaluate the security of your showcase sites, e-commerce platforms, SaaS applications and other solutions in conditions as close as possible to a real attack. A penetration test provides an inventory of the current situation and enables you to identify possible entry points and any vulnerable resources to which an attacker might have access. A penetration test also enables developers to increase their skills on the security subject. Development security training courses are also a good way to raise your developers’ awareness of web and mobile application security issues.
3. We use robust frameworks, so our web and mobile applications are secure
Indeed, it is highly recommended to use robust frameworks with a security layer. However, it is not enough to choose a good framework to guarantee your security: everything depends on its use and/or implementation.
Sometimes, some protections included in a framework can be removed in order to avoid some constraints and to save time. This is why security tests remain essential.
4. We do not process sensitive data, security is not a priority
Of course, one of the priorities in security is to protect the most sensitive data, such as personal, financial or health data. But security does not stop there, as data is not the only thing that needs to be taken into account. Your services, business applications or your online presence are also assets that need to be protected. Security incidents on these assets, even without sensitive data leaks, can have negative repercussions:
- Additional expenses to manage and resolve the incident
- Direct loss of revenue if your application is unavailable, and service continuity is no longer assured or if business data is lost, etc.
- Indirect loss of revenue if your customers’ trust has been lost, strategic data has been destroyed, your online reputation has been damaged, etc.
In addition, many attackers hack websites or applications to use them as “zombies” in their future attacks or to host their illegal activities. Depending on the legislation in force in their country, companies have a moral or even legal responsibility in front of these risks.
5. We have already carried out a penetration test
Securing a showcase site, web or mobile application is usually a continuous process. On the one hand, technologies are constantly evolving, with new versions released but also new vulnerabilities discovered. And on the other hand, projects are more and more in a permanent development process and receive regular updates and new features.
Given this intense pace of development, it is advisable to test your application regularly. Depending on the needs, an audit can be performed on a specific portion, only on the latest features put into production or to test a specific threat.
6. There is no ROI with security audits.
A security audit is comparable to an insurance. No one likes to pay their car insurance, but in the event of an accident, you quickly understand how necessary it was. Investing in an audit secures the overall operation of your business and helps to avoid potential future expenses related to attacks or data leaks.
Moreover, today the security of your web platform or mobile application has become a commercial argument. In particular, during their purchasing process, the majority of buyers question the security of the data they entrust to you through your website or applications. Being able to prove the level of security, for example with an audit certificate or reports proving that penetration tests have been carried out, becomes a key asset in negotiations. Being proactive on these issues has a direct impact on sales and will strengthen the confidence of your customers, prospects or partners in your solution. Thus, the ROI of a pentest is difficult to evaluate but it is indisputable.
7. We don’t have time to do a pentest
Given the priorities of the roadmap, urgent customer requests and last-minute changes, it can seem complicated to engage in a pentest project. And yet, conducting a pentest certainly requires less work on your part than you might imagine.
Before and during testing, very little involvement is required on your part. In some cases, pentesters will need you to provide them with a test environment and/or test accounts. They will then be autonomous throughout the audit.
Following the penetration test, you will be provided with a report detailing the vulnerabilities identified and the patches to be implemented. The vulnerabilities are classified according to their level of criticality, allowing you to prioritise their treatment according to your availability. You will be free to set the remediation schedule.
8. One has to be naive to be fooled by a phishing email.
Phishing has evolved a lot, the time of the lawyer contacting you about an inheritance is over. Phishing is now more complex to detect and can be very dangerous. It can claim to come from contacts known to the targeted person or it can use requests adapted to the company’s context. The techniques and pretexts for attacks have become more subtle. Attackers rely on human psychological drivers to push to click and make mistakes.
Via social engineering attacks (attacks aimed at manipulating humans), an attacker can combine phishing with, for example, fraudulent phone calls (vishing or voice phishing) to obtain confidential information, such as access to the internal network or back office.
These attacks are still unknown and are often underestimated. However, the risks can be significantly reduced by raising awareness among teams and strengthening internal processes. It is also possible to carry out a social engineering audit or training to arm oneself against this type of attack.
9. Penetration tests are too expensive
Penetration tests certainly have a cost. However, when the tests are adapted to the level of risk and the needs of your company, then it is an investment with a certain return.
Moreover, not all security audits have the same cost and do not necessarily require a budget of 10k€ for example. The cost varies according to the depth and completeness of the audit. By limiting the scope and/or the depth of the tests, we can limit the cost of the service.
Finally, when the budget is really limited, it is possible to do a pentest for less than 1 500€. This can be relevant for companies that are starting to implement security tests and will increase or test other portions of their information system as they develop. We are used to adapting to different risk levels, different development stages and different budgets, feel free to contact us to discuss your pentest project.