Why Developers Need Penetration Testing

Liam Follin

Senior Consultant

Liam is one of the senior consultants at Pentest People, with a wide range of skills and experience from Web Applications to Social Engineering he's able to give great comments and opinions on cybersecurity matters.

Why Developers Need Penetration Testing

Data breaches

A quick Google search for ‘data breach’ returns countless results. Just recently our sister company, RapidSpike,  innocently found a data breach made by York City Council. It seems stories related to data breaches are reported daily.

The results of a data breach vary; you could face hefty fines due to GDPR,  you could ruin your company’s reputation, clients could be put at risk, and your stress levels will go up. It is more important than ever that developers push for a Pentest.

Before working at Pentest People, I was not too familiar with Penetration Testing.

What is a Pentest?

I only really came across a Pentest once in previous employment. After completing work for a large, well known international brand, the application went through a Web Application Test. The reason for the test and the full test report were never really passed back to the development team. We were told of a few things that did not work, but were not informed of any potential vulnerabilities found, or even what the testers were looking for. Which kind of defeats the point of a Pentest.

Penetration Testing

Penetration testing is the practice of testing a computer system, network or web application for vulnerabilities that can be exploited. There are numerous different types of pen testing that can be automated or manually performed by an ethical hacker.

All applications should look to use some sort of Pentesting. Pen testing should not be restricted to large applications or large software houses. Any application no matter how small or large could be exploited if vulnerabilities are not found and dealt with.

Types of Penetration Tests

The different types of Penetration test include, network scans, Web Application tests, Social Engineering and Phishing Attacks, all of which give various and interesting results.

The most significant advantage to a pen test is that vulnerabilities are identified by the right people before it is too late. As a developer it also opens your eyes to things you may not have thought about or even knew about.

As developers we know to look for certain vulnerabilities, and to make sure our applications are guarded against the OWASP Top 10. We know to parameterize our queries with PDO and to validate user input for example. But do all developers know about a potential Man-In-The-Middle Attack? Just as being blind to usability issues or software bugs, developers will not always know about every potential vulnerability in their application.

Taking Action

This is where the Pentest comes in. A Pentest will highlight things that you may never have thought of. A Pentest can highlight that your system has ‘Web Application Cookies Not Marked HttpOnly’ or multiple ‘SSL issues’. It will also let you know which vulnerabilities are critical and must be resolved ASAP.

A full Social Engineering test may not be needed if you are just a small development house, but I strongly recommend developers invest time in automated tools, read up on the OWASP top 10 and to push management to use services offered by Penetration Testers (use Pentest People obviously).

With the amount of data breaches reported recently, ignoring security is not worth the risk, it is also not worth the stress. A Pentest can give you peace of mind and prevent embarrassing slip ups and large legal fees.

The results of the Pentest will also help you code better and think more about security during your application development. You will start to think how an application can be used rather than how it should be used. You will start to think of security first with each new feature or update you release.

Video/Audio Transcript