The value of security testing

Security testing injects a much needed dose of reality into the process of securing a system.

The value of security testing.
Caption: The value of security testing.

Performing security testing takes time. It costs money. It requires access to expertise that is increasingly difficult to find in the current market. You will have to put effort into utilising the output. So why should you do it? What value does it provide?

Why perform security testing?

One major driver for performing security testing is compliance. Many modern compliance programs require “penetration testing” of systems. So security testing may not be optional for you, but this still does not explain why it is valuable.

The main benefit of security testing is the reality check it provides.

Risk assessments can be subjective. You can argue that the risks they identify will never occur. That the consequences are unrealistic.

The results of security testing are more objective. You can prove that the vulnerabilities exist. You can show the effort required to exploit them. You can demonstrate the impact of exploitation. This doesn’t mean that arguments over “how serious” or “how likely” will completely go away. It does mean you will have better supporting evidence when those arguments occur.

Security testing can also detect problems that other assessments cannot. Relying on documentation, interviews and system diagrams to find issues can be misleading. Some information may be missing. Some information may be inaccurate, or out of date. There may be factors that those who wrote the documentation are not even aware of. Just as the map is not the territory, the documentation is not the system. Security testing assesses the system as it is, not as you might like it to be.

Security testing provides a much needed dose of realism in the security process. It is necessary. But it is not always sufficient. It cannot detect all risks. It will not determine if the systems users are sharing passwords. It will not identify when passwords are written on post it notes stuck to a monitor. It will not tell you when the system is misused, or what to do when that happens. For comprehensive system security, you must supplement security testing with other activities. This includes risk management, having appropriate policies and procedures, developing incident response capabilities, performing monitoring and alerting, delivering security awareness training, hardening systems and using secure coding practices.

Each security test only runs for a set period of time. There are other demands on testing resources. It is challenging to determine the scope of work for each test beforehand. The limitations imposed by time means that complete coverage is not always possible. Vulnerabilities can be missed. A lot relies on the skill of the security tester, and testers are only human. Humans make mistakes.

Security testing also only provides point-in-time assessments. It cannot tell you about vulnerabilities added to the system after the test is complete. It cannot detect vulnerability types that were unknown at the time of the test. It also cannot tell you if the vulnerabilities have been properly fixed after the test. Security testing must be repeated on a regular basis to manage these additional cases.

Stephen Bradshaw is an Ethical Hacker at the Digital Transformation Agency.