When do I need penetration testing?
It is ideal to test any system or software before it is put into production, once the system is no longer in a state of constant change. Typically, pentests are bought when:
- a new business-critical feature is developed and about to be implemented
- when launching a new product
- before systems or software goes into production
How often should I perform penetration testing?
As time goes on, new software is deployed and changes are made, and they need to be tested or retested. Here are the factors that influence the frequency of necessary testing:
The bigger the company, the more attention it gets from the hackers, the more often systems are to be pentested.
Pentests are not cheap. Companies with small budget will do pentests once per year. A greater budget will allow to test more often.
Regulations of country/industry:
In some countries like USA pentests are required by law:
- Medical Device Manufacturing
- Healthcare Delivery - HIPAA Evaluation Standard § 164.308(a)(8)
- Payment Card Industry Data Security Standard – PCI DSS – regular network monitoring and testing: vulnerability scans and penetration tests are required every six months
- Technology service organizations – CPA SOC 2: requires penetration testing to verify control implementation effectiveness every six months for the status “compliant” or quarterly pentest for the status “secure”
- Financial Industry Regulatory Authority (FINRA) - Securities Exchange Act of 1933 (17 CFR §240.17a-4(f)) requires members to appropriate the elements of a strong penetration testing program through regularly rotating contracts with third-party cybersecurity agencies that take a risk-based approach to determining vulnerability and evaluating security
In EU these practices are not heavily regulated. GDPR §32 describes that companies have to check their security but do not give a strong mandate on HOW TO do it (…implement technical measures to ensure data security…). Though, the new regulations are expected to come at any moment.
Image source: mindler.com