Web and mobile applications are at the core of most companies’ activities. Whether you’ve already deployed them or that they are still under development, some misconceptions about their security are still present, even though it is a crucial topic to conduct your business in good conditions.
Here are the 9 preconceived ideas that we most often encountered.
1. Hackers are only interested in web and mobile applications of large companies
This is an argument we hear very often. But unfortunately, this is not the thinking of the attackers. We can distinguish two main types of attacks: targeted attacks and non-targeted attacks. The latter will aim at all companies that use for example the same language, that have not patched a particular server vulnerability or whose email addresses are in the attackers’ file.
In this type of non-targeted attack, the attackers use every opportunity available to them, regardless of your number of employees or your turnover.
Web and mobile applications of large corporations are indeed more visible and exposed, and are therefore affected by both types of attacks. But these companies are also generally more aware of the risks and much better equipped with the technical and human resources to counter attacks.
SMBs and startups are, for their part, attractive targets because they have usually less prepared their defenses, even though they have data or resources that are very interesting for attackers.
2. My developers are rockstars
Good developers write clear, concise and bug-free code. Their job is to develop showcase sites, web or mobile applications that are high-performance, ergonomic and user-friendly, within increasingly tight deadlines. But they are generally not security experts. Building a web platform or a mobile application and testing security flaws are very different approaches and jobs. By way of comparison, even the finest paintwork will always need a paint coating to protect it.
It is therefore important to carry out penetration tests, to test and evaluate the security of your solutions in conditions as close as possible to a real attack. A security audit gives an inventory of the situation and allows to understand what an attacker could obtain. It also allows developers to increase their skills on the security subject. It can be followed by training in secure development.
3. We use robust frameworks, so our web and mobile applications are secure
Indeed, it is recommended to use robust frameworks which have a security layer. However, it is not enough to choose a good framework to guarantee your security: everything depends on how it will be used.
Sometimes, some protections included in a framework are disabled in order to avoid some constraints and to save time. This is why security tests are essential.
4. We do not process sensitive data, security is not a priority
Of course, one of the priorities in security is to protect the most sensitive data, such as personal, financial or health data. But security does not stop there, it is not only this data that needs to be protected. For example, your services, your business applications or your online presence are assets that need to be protected. Security incidents on these elements, even without sensitive data leaks, can have negative repercussions:
- Additional expense to manage and resolve the incident, potential legal action, etc.
- Direct loss of revenue if your application is unavailable, if lead requests are missed, if business data is lost, and so on.
- Indirect loss of revenue if your customers’ trust has been lost, strategic data has been destroyed, your online reputation has been damaged, etc.
In addition, many attackers hack websites or applications to use them as “zombies” in future attacks or to host their illegal activities. Depending on the legislation in force in their country, companies have a moral or even legal responsibility in front of these risks.
5. We have already carried out a penetration test
Securing a web or mobile app is usually a continuous process. On the one hand, technologies are constantly evolving, with new versions released but also new vulnerabilities discovered. And on the other hand, projects are more and more in a permanent development process and receive regular updates and new features.
Given this intense pace of development, it is advisable to test your application regularly. Depending on the needs, an audit can be conducted on a specific portion, only on the latest functionalities put into production or to test a specific threat for instance.
6. There is no ROI with security audits.
A security audit is comparable to an insurance. No one likes to pay their car insurance, but in case of an accident, you quickly understand how necessary it was. Investing in an audit secures the overall operation of your business and avoids potential expenses related to attacks or data leaks.
Moreover, today the security of your web platform or mobile application has become a commercial argument. In particular, during their purchasing process, the majority of buyers question the security of the data they entrust to you through your website or applications. Being able to prove the level of security, for example with an audit certificate or reports attesting to the completion of penetration tests, becomes a key asset in negotiations. Being proactive on these issues has a direct impact on sales and will strengthen the confidence of your customers, prospects or partners in your solution. Thus, the ROI of a pentest is difficult to evaluate but it is indisputable.
7. We don’t have time to do a pentest
Given the priorities of the roadmap, urgent customer requests and last-minute changes, it might seem complicated to engage in a security audit project. And yet, conducting a pentest certainly requires less work on your part than you might imagine.
Before and during testing, very little involvement is required on your part. In some cases, pentesters will need you to provide them with a test environment and/or test accounts. They will then be autonomous to perform the audit.
Following the penetration test, you will receive a report detailing the vulnerabilities identified and the patches to be implemented. The vulnerabilities are classified according to their level of criticality, allowing you to prioritise their treatment according to your availability. You will be free to set the remediation schedule.
8. One has to be naive to be fooled by a phishing email.
Phishing has evolved a lot, the time of the lawyer contacting you about an inheritance is over. Phishing is now more complex to detect and can be very dangerous. It can claim to come from contacts known to the targeted person or use requests adapted to the company’s context. Techniques and pretexts for attacks have become more subtle. Attackers rely on human psychological drivers to push to click and make mistakes.
Via social engineering attacks (attacks aimed at manipulating humans), an attacker can combine phishing with, for example, fraudulent phone calls (vishing or voice phishing) to obtain confidential information, such as access to the internal network or back office.
These attacks are still underrated and are often underestimated. However, the risks can be significantly reduced by raising awareness and strengthening internal processes. It is moreover possible to carry out a social engineering audit or training to arm oneself against this type of attack.
9. Penetration tests are too expensive
Penetration tests certainly have a cost. However, when the tests are adapted to the level of risk and the needs of your solution, it is an investment for your company.
Moreover, not all security audits have the same cost and do not necessarily require a budget of 10k€ for example. The cost varies according to the depth and completeness of the audit. By limiting the scope and/or the depth of the tests, we can limit the cost of the service.
Finally, when the budget is really limited, it is possible to do a pentest for less than 1 500€. This can be relevant for companies that are starting to implement security tests and will increase or test other portions of their information system as they develop. We are used to adapting to different risk levels, different development stages and different budgets, feel free to contact us to ask a quote.