Performing a security audit is an essential step to ensure the security of a web platform. However this kind of one shot action is not enough to ensure long-term security. Several complementary solutions can be considered to reinforce your security, in the long run.
The benefits of security audits
Running a penetration test is an indisputable step in terms of efficiency. It is an opportunity to put your defenses to the test, in real conditions.
This kind of security audit is therefore an exact assessment of your platform’s security at a given time, which allows you to identify and fix vulnerabilities.
Medium and long-term risks
However there are a few risks that must be kept in mind, following a security audit:
– New releases : New developments (for both functional and technical changes) can bring new functionalities… but also vulnerabilities. Every new line of code can potentially bring new risks. Of course developers can leverage the results of security audits that have been performed: having worked on security flaws remediation they have had is an excellent opportunity to improve skills and develop new security learnings as well as development best practices. But it does not mean that there will be no mistakes left in their new code…
– New threats : The threat landscape constantly moves. Some components in your platform will go stale, new attack techniques will be discovered, as well as new ways to exploit vulnerabilities.
– Other factors to consider : When a platform is technically mature and robust, the easiest way for an attacker to move forward is to exploit human weaknesses. At this point, the main entry gate of a company will be the lack of social engineering risks awareness and adequate training among the staff (at every level).
What solutions for a sustainable security?
A security audit must be considered as a step (and actually a key step!) within a global security strategy.
It is then highly recommended to set up a long term program, with different potential solutions:
– Recurring pentest : One option is to conduct new penetration testing regularly on your web platform or applications portfolio. This way, you can regularly test exposed services, with the possibility to make a focus on new deployments to production. It can also enable you to spread penetration testing all over the year.
– Training : Another option is to raise the skills of your technical teams in order to decrease risks, for instance by training them on security flaws listed by the OWASP. It may also be beneficial for the “functional” teams to get some basic knowledge of risks and security requirements. Furthermore, mitigating risks related to human weaknesses requires the staff of your whole company to be aware of social engineering threats, at all levels of the organisation.
– Incident response preparation : If your company is facing ongoing attacks or has big security issues then it must be ready in the event of an incident. The impact of an incident can be strongly mitigated or increased, depending on the ability of the teams concerned to properly detect any anomalies and to react promptly and in a coordinated manner. It is best to anticipate beforehand!
Without reconsidering the efficiency of penetration tests, it is better to keep in mind that a one-shot solution is not enough. Security is an ongoing process, that must be tailor-made to fit the context of a company, its level of risk and its budget. The diversity of security solutions can definitely help different companies to face their security challenges with appropriate solutions.