Safety tests: Essential or simply complementary?
A 2019 study on the effectiveness of corporate security strategies found that 53% of businesses don’t know if their security tools are working. This means that they do not perform security tests. If they have something that looks like a security validation, it is probably inconclusive or is being conducted in an unsystematic manner.
However, a more recent study found that around 70% of organizations perform penetration testing to prevent cyber breaches. Many already recognize the importance of testing their security checks. This finding coincides with a report that says the global security testing market is huge and is accelerating rapidly.
“The increasing number of mission-critical applications for web and mobile-based businesses requiring more secure endpoint protection and businesses implementing security measures to avoid financial loss due to increased sophistication of Cyber attacks are driving the growth of the global security testing market, ”writes the Security Testing Market report.
Does this mean that organizations already see security testing as a vital aspect of their cybersecurity or do they still see it as an add-on, something that works as a backing? Do organizations view security testing as a critical element the absence of which will cause their security posture to collapse or something that only improves their cyber defense?
The need for security validation
There is no doubt that security testing is essential for a strong security posture. In today’s cyber threat landscape, it is not enough to install security controls. These controls must be tested for their effectiveness in the face of real attacks. Organizations still looking to determine whether or not security testing is essential are way behind when it comes to cybersecurity best practices.
Terms like penetration testing, red teaming, blue teaming, security auditing, and vulnerability testing are already fairly common in the cybersecurity community. Businesses need to be aware of this. They should even answer the question “what is breach and attack simulation?” ”, For example, as it is seen as the method replacing traditional penetration testing. Likewise, security-conscious organizations should embrace the purple team instead of sticking to the traditional red and blue team.
In the blue and red team approach, the red team takes the adversarial approach – allowed to attack whenever it sees fit to exploit vulnerabilities at their weakest. Their goal is simply to reveal exploitable flaws. Meanwhile, the Blue Team are the Defenders – responsible for implementing defensive security, damage control, and incident response. The purple team is when there is collaboration and coordination between the two teams, to ensure that all possible avenues are explored.
Meanwhile, Breach and Attack Simulation, or BAS, automates the process with continuous attacks, in the form of repeated penetration testing performed through SaaS tools. The goal with BAS is to determine if the security measures and protections are sufficient to detect, mitigate and combat such threats. However, continuous security validation goes hand in hand with BAS to ensure that automated and continuous monitoring is properly analyzed and measured, ensuring that the organization can adjust its defenses accordingly.
Again, security testing is a must. Many see it as complementary because there are no legal rules that make it clearly mandatory. However, updated security guidelines, standards, and best practices suggest the need to ensure that security controls are functioning as intended. The OWASP Foundation, for its part, has its own web security testing guide. The United States Cybersecurity and Infrastructure Security Agency (CISA) provides best practices for security testing. Other standards such as ISO 15408 and UL 2900 also emphasize the importance of safety testing.
All the bells and whistles of supposedly advanced and expensive cybersecurity tools and solutions mean nothing if they prove ineffective when exposed to real cyber attacks. Even with their best efforts, it is inevitable that developers will make mistakes or missteps that result in writing vulnerable code. To minimize risk, performing thorough security testing is a no-brainer.
Go beyond compliance
However, security standards or guidelines should not be seen as the alpha and omega of cybersecurity. As a survey on validating the effectiveness of security control reveals, about 47% or almost half of organizations admit to simply aiming for regulatory compliance instead of achieving true cybersecurity. It is important to stress that compliance is not synonymous with reliable security.
Checking all the boxes in the lists of security rules does not guarantee true cyber protection. As Kerry Bailey, member of the Forbes Technology Council writes, “A business can be 100% compliant and yet 100% owned by cybercriminals. Many companies document every cybersecurity action and check all of the appropriate compliance boxes. Even after all this, they are still making the headlines and losing their customers’ data. Compliance doesn’t mean safety, ”says Bailey.
Target, for example, suffered a data breach in 2013 despite obtaining its payment card industry (PCI) cybersecurity standard the same year. Alibaba, which prides itself on complying with various security standards and proactively participating in security compliance associations, has unknowingly allowed a web crawler to collect massive amounts of customer data.
“Safety is a journey; being compliant is just the start. This wisdom shared by cybersecurity expert Youssef Elmalty beautifully captures the essence of cybersecurity, especially when it comes to the need for continuous testing. Installing the required security controls is just the first step. The initial testing process is also only a small part of the safety journey. Whenever possible, testing should be done frequently and on an ongoing basis to ensure that the latest threats are covered.
Many security companies and internal corporate IT departments have adopted the MITER ATT & CK framework to improve the assessment of their respective security controls. There are no laws or industry standards that require the strict adoption of this adversarial tactical and technical resource accessible globally. However, organizations have decided to incorporate it into their safety assessment processes because they know it helps.
This use of the MITER ATT & CK framework is something that can be described as complementary. However, organizations have learned to make this part of their cybersecurity posture. Will their cyber defenses completely fail if they avoid using the framework? This is unlikely to be the case. However, this additional tool proves to be beneficial for the Red, Blue and Purple teams when they are power-testing their security systems.
Put simply, security testing is largely an additional activity in cybersecurity, but it is seen as essential because of its role in verifying that an organization’s security controls are functioning. Organizations will not automatically fall victim to cyber attacks if they remove security validation. However, they have a better chance of surviving or even preventing an attack if they have examined the effectiveness of their defenses and implemented any fixes or adjustments necessary to address the vulnerabilities.
Security testing is not mandatory, but it is essential to ensure that investments made in cybersecurity produce real benefits instead of making it something like a game of chance. Not knowing if something is actually working as it should is an uncertainty that businesses cannot afford given the rising costs and more severe consequences of cyber attacks. For this, the additional process of security testing is essential.
Image Credit: Pexels
Peter Davidson works as a Senior Business Associate to help brands and start-ups make effective business decisions and plan appropriate business strategies. He’s a big fan of gadgets who loves to share his take on the latest technology and apps.