A common misconception among startup founders is that cybercriminals won't waste time on them, because they're not big or well known enough yet.
But just because you are small doesn't mean you're not in the firing line. The size of a startup does not exempt it from cyber-attacks – that's because hackers constantly scan the internet looking for flaws that they can exploit; one slip up, and your business can become front-page news, for the wrong reasons.
Fortunately, buyers are also becoming increasingly aware of the importance of cybersecurity and are commonly asking startups about the processes they use to secure their data - meaning cybersecurity is now becoming an important business enabler.
So if you're a CTO thinking about ramping up your web or mobile apps' cybersecurity posture, then you are already on the right track, but with so many options, where should you start?
To help you get going, we created this guide that covers the following crucial points:
- Answering the question, "What is security testing?"
- Understanding the reasons to perform security testing
- Defining the scope of cybersecurity testing
- Knowing when to perform penetration testing
What Is Security Testing?
Security testing is a broad term that refers to the process of checking a system, network, or piece of software for vulnerabilities that hackers and other threat actors can take advantage of. It can come in many forms, so in this article, we will explore two of its major components:
- Vulnerability Assessment: an automated security test using tools to scan your systems or applications for security issues. These tools are called "vulnerability scanners", and they perform automated tests to uncover flaws within your applications or infrastructure. The types of flaws could be application-level weaknesses, cloud configuration issues, or simply surfacing software with missing security patches (one of the most common causes of cybersecurity breaches).
- Penetration Testing: Primarily a manual assessment by a cybersecurity expert (although it is usually supported by vulnerability scanning tools), as well as determining the extent by which threat actors can exploit vulnerabilities.
Penetration testing is a great way to find the most amount of weaknesses possible at a certain point in time, but you should consider how quickly you get alerted to new vulnerabilities after the pen testers have gone home (tip: not quickly enough, you'll want a vulnerability scanner for that).
Vulnerability scanners also enable organizations to learn more about their security status before committing to more in-depth and usually more expensive manual tests. This is a no-brainer in many cases, as penetration testers will often start their tests by running the same automated tools. And you wouldn't want to make it too easy for them, would you! ;)
Why Perform Security Testing?
Veracode's State of Software Security Report revealed that 83% of the study sample, comprising 85,000 software applications used by 2,300 companies worldwide, had at least one security vulnerability discovered during an initial security test. Without the test, these flaws would have been released into production, making the software vulnerable to cyber attacks.
If, for this reason, you've decided to start security testing simply to find your weaknesses before the hackers do, then great. You've got the flexibility to decide your own requirements; skip ahead to the next section. Otherwise, other common reasons to perform security testing are:
- Third-party or customer requests. If partners or customers have specifically requested that you perform security testing to ensure that their customer data remains safe from cyber attackers – you may have more stringent requirements. However, there can still be room for interpretation. It's very common that customers will require a "penetration test," – but they rarely specify what that means exactly.
- Compliance certifications and industry regulations. Many industry regulations or compliance certifications also require organizations to undergo regular security testing. Common examples include ISO 27001, PCI DSS, and SOC2. These standards specify the testing required in various levels of detail, but even the most specific doesn't specify exactly how or what to test, as it depends on the scenario at hand. For this reason, it's often accepted that the company being tested is best placed to determine what level of security testing makes sense in their scenario. So you may find the guidance below is still useful in determining what and how to test.
|Your customer or auditor will always have the last call, but you know your business best, so by proposing a sensible testing strategy, usually both sides can find an agreement.|
Think about Strategy before Individual Security Tests
Risk Assessment: How much of a target are you?
Every company is unique, and for that reason, your risk will be unique to you. However, it can be hard to know what's the right level of testing. You can use the following as a rough guide to what we see in the industry:
1. If you don't store particularly sensitive data
For example, you might provide a website uptime monitoring tool and don't store particularly sensitive data. Until you grow large enough to be targeted specifically, you probably only need to worry about indiscriminate hacks by those looking for easy pickings. If so, you're more likely only to need automated vulnerability scans.
Focusing on any internet-exposed (or potentially exposed) systems like any remote access (VPNs, remote admin logins), firewalls, websites or applications, APIs, as well as systems that may find themselves online by accident (anything inside a cloud platform can too easily be put on the internet by accident).
2. If you store customer data
Maybe you're a marketing data analysis platform, so you may face less threats from insiders and criminal gangs, but you certainly need to worry about customers accessing each other's data or a general data breach. Or, for example, you have an app, but anyone can register for an account online, you will want to consider an "authenticated" penetration test from the perspective of a normal user – but maybe not from the perspective of an employee with limited back-end access. You'll also want to make sure employee laptops are fully patched with the latest security updates.
3. If you're offering a financial service
If you're aFinTech startup moving money around, you will need to worry about malicious customers and even malicious employees – as well as cybercriminal gangs targeting you.
If so, you will want to consider continuous vulnerability assessment and regular full manual penetration tests from all these scenarios on top.
4. If you don't have anything exposed to the internet
Maybe you don't have anything exposed to the internet at all or don't develop customer-facing applications – so your main attack surface is employee laptops and cloud services. In this case, automated vulnerability scanning of your own laptops makes the most sense, and you could consider a more aggressive type of penetration testing "known as red teaming" if you need additional assurance.
|Every business is unique, and there is no single cybersecurity strategy that will work for every startup. This is why you need to begin with an understanding of where your own risks reside.|
What do you need to protect?
Ideally, before planning the security testing itself, you should consider what assets you have, both technical and informational, a process known as "asset management."
A very simple example could be: "We have 70 employee laptops, use mostly cloud services, and have our customer data stored and backed up in Google Cloud Platform, and an app that allows both admin and customer access.
Our most important data is the data we store on behalf of customers, and our employee data in our HR systems.". Thinking this through then helps you start to form the basis for scoping a test. For example:
- Our HR system is a cloud service, so we simply ask them for their proof of security testing (and so don't need to test them ourselves).
- What IP addresses do we have in Google Cloud, what domains are registered (there are tools that can help with this).
- Our engineers don't download the production database, but do have access to our cloud systems, so their laptops and cloud & email accounts are also part of our attack surface.
|Performing asset management will help you keep track of systems belonging to your organization as well as determine which IP addresses and domain names need to be tested.|
How Often Should a Startup Perform Security Testing?
It depends on the type of test! Clearly, the benefit of automated tests is they can be run as regularly as you want. While penetration tests are more costly to run frequently.
Performing routine vulnerability scanning at least once a month can help strengthen your IT infrastructure and is recommended by the National Cyber Security Centre (NCSC). This practice helps companies keep an eye on the never ending list of new threats; over 10,000 new vulnerabilities are reported every year. Aside from regular vulnerability scanning, it is also advisable to run scans every time system changes are made.
Types of Vulnerability Scanner
You can choose from several types of vulnerability scanners— network-based, agent-based, web application, and infrastructure. The choice depends on what assets you aim to protect.
Some classic examples of network scanners are Nessus and Qualys. Both are market leaders and provide a robust level of security and vulnerability coverage. A modern alternative that you could consider if you want a tool that is easy to get started with is Intruder.
This online vulnerability scanner has been specifically developed to be usable by non-security experts, while providing high-quality checks, as well as automatic scans for emerging threats.
|Intruder uses a unique algorithm to prioritize issues that leave your systems exposed, making it particularly easy to find out what presents the highest risk.|
What are the Benefits of Vulnerability Assessment?
Vulnerability assessment aims to automatically uncover as many security flaws as possible so these can be mitigated before threat actors can get to them. It also helps make penetration testing, which, in contrast, is a manual process, more efficient. In fact, as explained by the NCSC, "By taking care of the 'low hanging fruit' through regular vulnerability scanning, penetration testing engagements can more efficiently focus on complicated security issues that are better suited to a human."
When to run a penetration test?
Pen testers mimic real-life cyber attackers, but unlike threat actors, they follow a predefined scope and do not abuse the organization's assets and data. Compared to vulnerability scanning, they are much more likely to uncover complicated or high-impact business-layer weaknesses, such as manipulating product pricing, using a customer account to access another customer's data, or pivoting from one initial weakness into full system control. The downside is that in comparison, it's expensive, so when is the right time to run one?
Think along the key timelines of the risk assessment above, for example, after your product is developed but before you start taking on real customer data. Or after you hold some non-sensitive customer data, but before you start holding salary or health-related information.
Once you're up and running, penetration testing should be performed after major changes, such as altering your authentication system, releasing a major new feature; or after 6-12 months of small changes (as each one, in theory, could accidentally introduce a weakness).
Again this depends on your risk level; if you're moving money around even as often as every three months would be advisable (or more!), but if you're on the lower end of the risk spectrum, once every 12 months is a commonly accepted schedule.
|Penetration testing should be carried out before implementing major system changes or in regular intervals of 6-12 months.|
Several types of penetration testing exist. Penetration testing can look for security flaws in technology, such as in your external and internal networks as well as web applications. However, it can also find vulnerabilities in an organization's human resources, such as in the case of social engineering.
The pen testing company you choose would depend on the type of assets you want to test, but other factors, such as certifications, price, and experience, should be considered as well.
Security testing is a critical cybersecurity process that aims to detect vulnerabilities in systems, software, networks, and applications. Its most common forms are vulnerability assessment and penetration testing, but the goal is always to address security flaws before malicious actors can exploit them.
Keep in mind that threat actors also perform routine security testing to look for any vulnerability they can abuse. One security flaw could be enough for them to launch large-scale cyber attacks. While this could be frightening, your company can stay better protected by performing cybersecurity tests regularly.
Implementing this strategy can be challenging, as there is no one-size-fits-all security testing solution. Small businesses may also hesitate to invest in an intangible product, especially one they may not fully understand because of all the technical jargon. Nowadays, many tools offer free trials, which present a great opportunity for small businesses to find the right solution before committing to a bigger investment.
If you're in need of a modern, easy-to-use security testing solution, Intruder offers a 30-day free trial of their vulnerability assessment platform. Visit their website today to take it for a spin!