When to get tested?
Periodic testing is applicable where there is a requirement for assets to be tested regularly to ensure that a security level or “baseline” is maintained. The frequency and thoroughness of the penetration test may vary, depending on the risk profile or classification of the asset.
Acceptance testing should be conducted prior to the production deployment of a new system or application. A penetration test can provide assurance that the components which are about to be introduced into a production environment are compliant with the organisation’s security standards. Penetration testing also ensures that the security level of the infrastructure as a whole is not unexpectedly degraded due to the deployment of new application or systems.
Penetration testing should be conducted when one or more of the following scenarios arise:
- An infrastructure, system or application is ready for deployment, or has been significantly changed or updated. Penetration testing will help to validate the application from a security perspective and ensure the appropriate security measures have been implemented.
- When a breach of security has taken place and an attacker has gained some form of unauthorised access. Penetration testing can be applied to ensure the system now contains adequate security controls, and that the compromise is not repeated in the future.
- A previous penetration test may have revealed findings that require follow-up and remediation measures. It is recommended that following any remediation work a light regression test is performed to verify that not only have the findings been addressed, but that the fixes have not introduced further security issues.