In this blog, Antony is shedding light on the approach WCBS has to penetration testing, defined by The National Cyber Secure Centre as: “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”
Security designed today for the future
In today’s increasingly security-aware world, business leaders, IT service managers and purchasing decision makers alike demand more than just hand-wringing assurances from a software provider proclaiming that “yes, of course our software is secure!” The cost of exploited security vulnerabilities is high, whether that be from reputational damage caused by bad publicity from a security breach, or potential fines resulting from accidental data disclosure.
As a responsible software development organisation, WCBS puts security on the highest level, and this commitment has extended to regular penetration testing whilst developing our new cloud-native solution, HUBmis.
What is penetration testing?
Penetration testing is a type of security testing that seeks to expose security vulnerabilities, threats and other risks relating to system infrastructure and software systems. Various ways to attack a solution (attack vectors) are often covered by a penetration test. This might include (but not be limited to) infrastructure configuration, software defects, weak access controls (including user account controls) and so on. Often, a web application assessment will cover a variety of known threat types, many of which are published by bodies, such as the Open Web Application Security Project (OWASP, see https://owasp.org/www-project-top-ten/), amongst others.
How is it carried out?
Penetration testing is typically carried out by 3rd party organisations that have specialist skills in IT security and ethical hacking. Engagement with these organisations usually starts by an introduction to a specific target, often a web application. The scope of testing is agreed, which might be a blind test where the tester has no prior knowledge of the system implementation, or alternatively a test where the tester has information relating to the target in advance.
During the testing period, any issues found during a given day may be reported at an end-of-day meeting. All issues found during testing are documented in a special report where each issue is given a rating, usually from the Common Vulnerability Scoring System (CVSS), which is an open framework for describing the characteristics of security issues and their severity. This helps consumers understand the nature of issues and may indicate how urgently they should be resolved.
Who does the testing?
WCBS works with CREST-approved suppliers to carry out security testing services. CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market (see https://www.crest-approved.org). Recommendations for improvement arising from penetration testing are always prioritised through the software development process at WCBS.
We are committed to the safety and security of our customers’ data and systems. WCBS recommends that purchasing decision makers ask about penetration testing when considering new software.
Contact firstname.lastname@example.org for more information about the security testing of HUBmis.