SEC11-BP03 Perform regular penetration testing
Perform regular penetration testing of your software. This mechanism helps identify potential software issues that cannot be detected by automated testing or a manual code review. It can also help you understand the efficacy of your detective controls. Penetration testing should try to determine if the software can be made to perform in unexpected ways, such as exposing data that should be protected, or granting broader permissions than expected.
Desired outcome: Penetration testing is used to detect, remediate, and validate your application’s security properties. Regular and scheduled penetration testing should be performed as part of the software development lifecycle (SDLC). The findings from penetration tests should be addressed prior to the software being released. You should analyze the findings from penetration tests to identify if there are issues that could be found using automation. Having a regular and repeatable penetration testing process that includes an active feedback mechanism helps inform the guidance to builders and improves software quality.
Common anti-patterns:
-
Only penetration testing for known or prevalent security issues.
-
Penetration testing applications without dependent third-party tools and libraries.
-
Only penetration testing for package security issues, and not evaluating implemented business logic.
Benefits of establishing this best practice:
-
Increased confidence in the security properties of the software prior to release.
-
Opportunity to identify preferred application patterns, which leads to greater software quality.
-
A feedback loop that identifies earlier in the development cycle where automation or additional training can improve the security properties of software.
Level of risk exposed if this best practice is not established: High
Implementation guidance
Penetration testing is a structured security testing exercise where you run planned security breach scenarios to detect, remediate, and validate security controls. Penetration tests start with reconnaissance, during which data is gathered based on the current design of the application and its dependencies. A curated list of security-specific testing scenarios are built and run. The key purpose of these tests is to uncover security issues in your application, which could be exploited for gaining unintended access to your environment, or unauthorized access to data. You should perform penetration testing when you launch new features, or whenever your application has undergone major changes in function or technical implementation.
You should identify the most appropriate stage in the development lifecycle to perform penetration testing. This testing should happen late enough that the functionality of the system is close to the intended release state, but with enough time remaining for any issues to be remediated.
Implementation steps
-
Have a structured process for how penetration testing is scoped, basing this process on the threat model
is a good way of maintaining context. -
Identify the appropriate place in the development cycle to perform penetration testing. This should be when there is minimal change expected in the application, but with enough time to perform remediation.
-
Train your builders on what to expect from penetration testing findings, and how to get information on remediation.
-
Use tools to speed up the penetration testing process by automating common or repeatable tests.
-
Analyze penetration testing findings to identify systemic security issues, and use this data to inform additional automated testing and ongoing builder education.
Resources
Related best practices:
Related documents:
-
AWS Penetration Testing
provides detailed guidance for penetration testing on AWS -
Modernize your penetration testing architecture on AWS Fargate
Related examples:
-
Automated security helper
(GitHub)