Everyone who creates software wants their application to meet the highest quality standards.
Before anything moves into production, code reviews, along with automated and manual testing, seek to ensure everything is working as intended, and that bugs are eliminated.
Testing for security vulnerabilities is a crucial part of this process and needs to be supported by specialist tools. If this is skipped or treated as an afterthought, or if the correct tooling is not available, it can create delays, require rollbacks and produce potentially costly dangers for clients and end-users.
The battle to ensure applications are secure never stops. New edge cases and vulnerabilities are recorded every day, rendering applications previously thought impervious to attack in need of new revisions to their code.
At the same time, cybercriminals are able to operate extremely quickly, continually innovate their methods and are unrelenting. In the UK, four in ten businesses reported cyber-breaches or attacks in 2021 – with the proportion higher for larger organisations where 64% had suffered attacks.
While cybersecurity standards are high at most companies, there’s clearly still much more to be done – especially since these figures typically rise each year.
Imitating the enemy
To improve security at the development level, developers should spend at least some of their time seeking to breach their own systems, using the tools and techniques of the enemy. This discipline – known as penetration testing – offers unique insights into security that aren’t revealed by other forms of testing.
Just to be super-explicit, penetration testing does not replace any of the standard tests, scans and reviews that comprise current security practices. Rather, it is a very useful complement to those procedures that offers a different perspective that can shine a light on areas of weakness that might not otherwise have been considered.
It’s also to be noted that penetration testing isn’t a one-off seal of security: it can give assurances for the day the testing takes place. Tomorrow’s security landscape is a different place and your risks are different.
Attempting to break into your own applications by employing the very tools used by criminal hackers creates a different mindset regarding security, which results in better code and better security. Rather than being focused on ensuring the intended uses for an application are enabled, we focus instead on unintended uses.
Very often, vulnerabilities exist on the edges of functionality: that is, pushing the boundaries of what programs are intended to do can reveal gaps where attackers can find their way in.
Sometimes these might be the result of oversights in code, but very often they’re about flaws in the software design or the business logic that dictates that design. The code is written correctly to specification, but the specification itself creates unimagined possibilities for abuse and breaches.
These flaws create vulnerabilities that are quite different to those created by accidental misconfigurations, using vulnerable open source software or not following best practice in the way code is written. They may not be the developer’s fault, but as a guardian of the application’s security, they certainly fall within the bounds of their responsibilities.
The pen-test toolkit
The modern pen-tester doesn’t rely on their own wiles and cunning: they’re very well-equipped and can automate many aspects of their work – just like the bad guys trying to breach your systems. The tools available include fuzzers, which try to inject unexpected values wherever they can be input in the hope of crashing the application or obtaining further access to code or data that should be hidden from view. In web apps, they might input peculiar values to form fields, user generated content submissions or URLs, for example.
Then, exploit kits are available from responsible, white hat sources that allow developers to use the known techniques of real-world hackers to try to penetrate security. Additionally, penetration-testing scanning software is available, but instead of scanning your system for malware or bad actors, they scan for possible points of ingress. These might attempt thousands of different breach techniques, far more than even the most experienced developers could remember to test for, and so provide a powerful tool for finding chinks in your armour.
Learning how to carry out penetration testing is a very valuable skill for developers and will extend an understanding of different aspects to building secure applications beyond those they’re familiar with from the perspective of a code creator.
It will help create a mindset that always thinks about the loopholes and looks to secure against the most unexpected behaviours – this is particularly valuable to organisations because those are exactly the routes cybercriminals will take.