Leveraging Penetration Testing to Meet PCI DSS Compliance Standards
Learn how pentesting for PCI DSS allows you to meet compliance standards, identify vulnerabilities, and protect against data breaches.
Learn how to make the best out of a negative penetration test report, and learn why a negative report isn't always a bad thing!
TL;DR:
Most companies may have a general idea of their company’s security posture but it can be a shock to find out just how many deficiencies there truly are. However, it’s important to understand what a “bad” penetration test is. The whole purpose of a penetration test is to identify vulnerabilities that exist in your company that you weren’t aware of or didn’t fully understand. Therefore, it’s not a bad thing for a penetration test to come back with a large number of findings. Discovering how to make the most of a devastating penetration test report is crucial in maximizing your cybersecurity efforts. What makes a penetration test truly bad is the following:
1) Having many false positives: Having multiple false positives related to identifying a vulnerability is a big negative. This can lead to a lot of wasted time as the client tries to validate or fix a vulnerability that doesn’t exist.
2) No remediation plan: Another bad outcome is to have a penetration test that finds vulnerabilities but doesn’t offer any suggestions on how you can fix the vulnerabilities and address the underlying cause. Finding the vulnerabilities is important but the overall goal is not just awareness, it’s about how to fix the vulnerabilities and eliminate the root cause to prevent issues from reoccurring later on. If a penetration test doesn’t give you that information then it should be considered a poor job.
However, what most people will regard as a devastating penetration test is one that simply discovers a ton of vulnerabilities. Even though it may not feel good to see a report showing a large number of vulnerabilities, that is the sign of a strong penetration test because it shows you several ways that your company can improve. If you want to learn more about what factors make up a good or bad penetration test, read our blog.
The first thing you should do when receiving a penetration test is to investigate the issue and determine the root cause of the issue. Vulnerabilities that are misconfigurations can often be changed very easily while those that are more systemic need more time and attention. By making this distinction you make the next step much easier, prioritization.
When you receive your penetration report each vulnerability will be assigned a severity by the pentesters (critical, high, medium, low etc). However, it falls on the client to look at the affected resources and prioritize the remediation of resources that are more important to the business. For example, if you have two critical vulnerabilities, but one is your health-care critical triage app and the other is the events marketing page, then these two apps should have different levels of priority. Typically fixing resources is done in order of severity and then asset worth. So we generally recommend fixing all the criticals first, but doing so in the order of asset priority. Then work on highs, mediums, lows etc.
Source @vantagepoint
Once you have a plan on the order in which vulnerability should be remediated it’s time for you to start assigning resources to get the work done. It’s important to have someone uniquely responsible for the remediation of certain vulnerabilities so that they can be held accountable and ensure that it is completed on schedule. This doesn’t just mean informing the security team but you also need to factor in all the teams/people responsible for remediation, for example, patch management, site reliability engineers and senior management. This is also a good time to re-evaluate your security posture. This can include developer training or more frequent penetration tests to match your code releases to stay on top of vulnerabilities.
Once you have your resources organized the last thing to do is to implement the required changes. The best approach to this is typically to perform the change in a dev and uat environment before implementing it in a production environment. This is important so that you can ensure that the change works and doesn’t have any negative impact on the non-production systems before pushing it into production. This significantly reduces the risk of unexpected downtime and other potential issues.
Once you have implemented the changes, you must do a re-test. At the very least you want to do a test that checks for the old issues and ensures that they have been properly resolved. Not only does this verify that the fixes worked but it ensures that there are no easy bypasses that hackers can use to circumvent the fixes that you invested time and money into implementing. It’s important to schedule the retest well ahead of any internal or external deadlines. There is a good chance that there may be issues with the fixes that were implemented and you must give yourself enough time to fix the new issues after the retesting.
A devastating penetration test can be a good thing for your organization. It means that you have been made aware of the weaknesses in your business and it means that you now have a good roadmap for improving over time. A successful penetration test gives you a big-picture view of your organization and it’s better that you are made aware of this before the attackers/hackers find them.
Here’s what to do when you receive your penetration testing report:
Engage the required stakeholders: You need to engage all of the important stakeholders in the organization whose support you will need to implement these changes. This includes patch management, developers, site reliability engineers, upper management etc.
Establish a schedule: You should create a formal schedule that outlines exactly when the work will be done and by whom. This helps to ensure continuous progress and accountability for all aspects of the project and significantly improves the chances of success.
Retest: You should always do a retest with a professional pentester to ensure that the changes that you have made do indeed fix the vulnerabilities and that there are no workarounds for hackers to exploit. The retest is your only true confirmation that the vulnerability has been fixed and that you are in a more secure state than when you started.
To maximize the value of a penetration test report, organizations should actively engage business teams in the risk assessment process, providing crucial context to align findings with real-world implications. Regularly updating stakeholders on progress demonstrates the test's success and ongoing security improvements. Utilizing different report views tailored to various stakeholders' needs ensures appropriate information sharing. Facilitating direct communication between security and development teams streamlines the remediation process, increasing the likelihood of timely fixes. This can be achieved by inviting developers to collaborate on the testing platform or integrating findings directly into project management tools like JIRA or GitHub. By implementing these strategies, organizations can effectively leverage penetration test reports to enhance their overall security posture and drive meaningful improvements.
If you’ve ever had a penetration test done and found out that your company has tens, hundreds or even thousands of vulnerabilities it can be a difficult pill to swallow. However, it’s also a great opportunity for your organization to evolve and grow into a more secure business. To make the most of a devastating penetration test report you must approach it in the right way. First, you need to understand that the whole purpose of a penetration test is to identify vulnerabilities in your organization and you should find out now than when someone hacks into your business. Then you need to leverage the information that you found to remediate these issues and ensure that your organization is in a stronger position than before. If you do this properly even a “bad” penetration test report can become a positive. understand the importance of how to make the most of a devastating penetration test report devastating penetration test report
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support