The once-a-year pentest is commonplace for many organizations, however, is this a suitable timeframe, a minimum to meet compliance requirements, or somehow an accurate guess at the optimum interval? Let’s take a look at the factors we should consider and also at the pros and cons of more frequent, as well as less frequent testing.
Factors to Consider
- First up, we have industry regulations and compliance requirements. Many industries have specific guidelines on how often pentesting should be conducted and therefore we should use this as a starting point.
- The size and complexity of your organization it next. If you have complex infrastructure that is often changing, we should consider testing more frequently.
- Security incidents or breaches may also spark more frequent pentesting. It may not always be the right course of action to pile on pentests along with ongoing remediation, but this can help drive change for the better if you have the resources.
- Previous testing should also be a factor to consider. The results of your pentests will give you an indication of the maturity of your environment and insight into whether or not it’s within your risk tolerance.
- Finally, we have the budget. This is more of a constraint rather than a factor but often in smaller organizations, the budget is what decides the schedule.
- With some of the main factors to consider out of the way, let’s examine the pros and cons of more frequent testing.
The Case for More Frequent Penetration Testing
The Pros of More Testing
- Assuming you have the resources to follow up, your security posture will improve. Regular testing will not only help you identify and remediate vulnerabilities but also improve your team’s attitude to building and deploying things securely as part of their day-to-day work since they know it will be reviewed at some point soon.
- You will be secure rather than just compliant. I think as an industry too many assume that compliance means security, which it doesn’t. We should strive to be compliant at a bare minimum, and be secure based on factors such as exposure, risk tolerance, and business objectives.
- Finally, we have better risk management. More frequent testing will give more accurate insights and enable us to effectively manage security risks.
The Cons of More Testing
- Cost is going to be a factor for many organizations. For larger enterprises, having an internal team may be more cost-effective and provide better ROI. However, if your organization is relying solely on external consultants, then more testing of course will simply cost more.
- Resources are also something that will be used with more regular testing. Time spent by internal teams will increase with more regular testing.
- Disruption to daily operations can also be a factor to testing. Whilst this is not always the case, there is the potential for downtime or impact on system performance.
- At some point, we may also start to gain diminishing returns or a diminished return on investment. Blindly deciding to test once per year may not be effective, testing too much will also not yield the most effective results.
The Case for Less Frequent Penetration Testing
The Pros of Less Frequent Testing
- Cost savings; less testing can reduce costs.
- Minimal disruption to daily operations. There is often a fair bit of work that goes into preparing, scheduling, carrying out and following up on a penetration test that can be minimized with less frequent testing.
- Longer remediation time. Whilst I often find many organizations have the same vulnerabilities year over year, an argument can be made that there is more time for remediation with less frequent testing.
The Cons of Less Frequent Testing
- Increased risk; if you test infrequently then you will have more undiscovered vulnerabilities in your network and systems and this may lead to security breaches.
- Compliance panic. Whilst I just made this phrase up, it describes what an organization that is not ready for an audit does when leading up to an audit to achieve compliance. Less frequent testing will make achieving compliance more difficult.
- Delayed detection. Waiting longer between tests may delay the discovery and remediation of vulnerabilities.
- Poor security culture. Without frequent testing to keep us in check, the organization’s security mindset may deteriorate.
Balancing the pros and cons of penetration testing frequency is often overlooked but is a crucial part of maintaining an effective security posture. Ultimately it comes down to your organization’s risk profile, budget, compliance requirements ,and business objectives.
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity. He created many of the web hacking courses in TCM Security Academy, as well as the PJWT and PWPT certifications.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.