Security testing: Essential or simply supplemental?
A 2019 study on the effectiveness of enterprise security strategies found that 53 percent of enterprises are clueless if their security tools are working. This means that they do not undertake security testing. If they have anything that has the guise of security validation, it is likely inconclusive or conducted in an unsystematic manner.
However, a more recent study found that around 70 percent of organizations perform penetration tests as a way of preventing cyber breaches. Many already acknowledge the importance of testing their security controls. This finding coincides with a report that says that the global security testing market is huge and rapidly accelerating.
"Surge in web and mobile-based business critical applications requiring higher secure endpoint protection and enterprises implementing security measures to prevent financial losses due to increased sophistication in cyberattacks boosts global security testing market growth," the security testing market report writes.
Do these mean that organizations already view security testing as a vital aspect of their cybersecurity or do they still perceive it as supplemental, something that functions in a supporting capacity? Do organizations think of security testing as a crucial component whose absence will lead to the collapse of their security posture or something that only enhances their cyber defense?
The need for security validation
There is no doubt that security testing is essential for a solid security posture. In the current cyber threat landscape, it is not enough to have security controls installed. These controls need to be tested for their effectiveness in the face of actual attacks. Organizations that are still figuring out whether security testing is essential or not are way behind when it comes to cybersecurity best practices.
Terms such as penetration testing, red teaming, blue teaming, security auditing, and vulnerability testing are already quite common in the cybersecurity community. Enterprises should be aware of these. They should even be answering the question, "what is breach and attack simulation?", for example, given how it is regarded as the method that supersedes traditional pen-testing. Similarly, security-conscious organizations are expected to adopt purple teaming instead of getting stuck with traditional red and blue teaming.
In the blue and red team approach, the red team takes the adversarial approach -- authorized to attack whenever they deem best to exploit vulnerabilities at their weakest. Their goal is simply to reveal exploitable flaws. Meanwhile, the blue team are the defenders -- responsible for implementing defensive security, damage control, and incident response. Purple teaming is when there is collaboration and coordination between the two teams, to ensure that all possible avenues are explored.
Meanwhile, breach and attack simulation or BAS, automates the process with continuous attacks, as a form of repeated penetration-testing done through SaaS tools. The aim with BAS is to determine whether the security safeguards and protections are enough to detect, mitigate, and fight against such threats. Continuous security validation goes hand-in-hand with BAS, however, to ensure that the automated and continuous monitoring is adequately analyzed and measured, thus ensuring that the organization can adjust its defenses accordingly.
Again, security testing is a must. Many view it as supplemental because there are no legal rules that clearly make it compulsory. However, updated security guidelines, standards, and best practices suggest the need to ensure that security controls work as they are intended. The OWASP Foundation, for one, has its own web security testing guide. The United States Cybersecurity and Infrastructure Security Agency (CISA) provides best practices for security testing. Other standards such as ISO 15408 and UL 2900 also outline the significance of security testing.
All the bells and whistles of the supposedly advanced expensive cybersecurity tools and solutions do not mean anything if they prove to be ineffective when exposed to real cyber attacks. Even with all their best efforts, it is inevitable for developers to commit some mistakes or missteps that result in the writing of vulnerable code. To minimize the risks, conducting thorough security testing is a no-brainer.
Going beyond compliance
Security standards or guidelines should not be regarded as the be-all and end-all of cybersecurity, though. As one survey on the validation of security control effectiveness reveals, around 47 percent or nearly half of organizations admit to merely targeting regulatory compliance instead of attaining genuine cybersecurity. It is important to drive the point that compliance does not equate to reliable security.
Ticking all the boxes for lists of security regulations does not guarantee real cyber protection. As Forbes Technology Council member Kerry Bailey writes, "A company can be 100 percent compliant and yet 100 percent owned by cybercriminals." Many companies document every cybersecurity measure and check all appropriate compliance boxes. Even after all that, they still hit the headlines and lose customer data. Compliance doesn’t mean security," Bailey explains.
Target, for example, suffered a data breach back in 2013 despite having earned its Payment Card Industry (PCI) cybersecurity standard in the same year. Alibaba, which prides itself on complying with various security standards and proactively participating in security compliance associations, unknowingly allowed a web crawler to harvest massive amounts of customer data.
"Security is a journey; being compliant is just the beginning." This wisdom shared by cybersecurity expert Youssef Elmalty beautifully captures the essence of cybersecurity especially as it pertains to the need for continuous testing. Installing the required security controls is only the first step. The initial testing process is also only a small part of the security journey. As much as possible, testing should be conducted frequently and ceaselessly to make sure that the latest threats are covered.
Many security firms and the internal IT departments of enterprises have adopted the MITRE ATT&CK framework to enhance the evaluation of their respective security controls. There are no laws or industry standards that require the strict adoption of this globally accessible adversarial tactic and techniques resource. However, organizations have decided to integrate it into their security evaluation processes because they know it helps.
This use of the MITRE ATT&CK framework is something that can be characterized as supplemental. However, organizations learned to make it a part of their cybersecurity posture. Will their cyber defenses completely fail if they avoid using the framework? That’s unlikely to be the case. However, this supplemental tool proves to be beneficial to red teams, blue, as well as purple teams as they stress test their security systems.
Simply put, security testing is largely a supplemental activity in cybersecurity, but it is perceived to be essential because of its role in ascertaining that an organization’s security controls are working. Organizations will not automatically fall to cyber-attacks if they do away with security validation. However, they have better chances of surviving or even preventing an attack if they have examined the effectiveness of their defenses and implemented the necessary corrections or tweaks to address the vulnerabilities.
Security testing is not compulsory, but it is essential in making sure that the investments made in cybersecurity yield actual benefits instead of making it something like a game of chance. Not knowing if something actually works the way it should is an uncertainty that enterprises cannot afford in view of the growing costs and harsher consequences of cyberattacks. For this, the supplemental process of security testing proves to be essential.
Image Credit: Pexels
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.