Companies consider cybersecurity as the number 1 priority topic when it comes to taking business risk management measures, as outlined, for example, in the most recent risk barometer report from Allianz. How did the businesses without extensive internal cybersecurity teams identify the potential vulnerabilities in their environments and what are the typical use cases to engage a pen-testing team to uncover the security threats?
Use case 1: Own developed web-application
A company has one or more web applications delivered to the users via a web-browser. Quite some technology is utilized behind the scene to power that web-application, being it frontend or backend, eventually there are also APIs offered to the customers to connect to the web application.
The web-applications are exposed to the global internet and can be attacked from everywhere in the world, so it is a very significant business protection measure to pen-test them and do all efforts required to secure every identified security issue.
Use case 2: Customized web-shop
A customized web-shop integrated into the website of a company, including login/authentication and some adjustments tailored to companies business processes, is often targeted by hacker attacks.
While the provider takes care of the security of the offered standard web-shop, as soon as customer specific adjustments are made, it is the customer’s responsibility to keep those adjustments secure.
Pen-testing can provide very valuable information regarding the security level of the web-shop custom adjustments.
Use case 3: Certification confirmation
Company has acquired one or more certifications (e.g. TISAX, ISOxx, etc.) which are crucial for its business with its customers and there is a requirement to provide proof of executed pen-tests, their results and fixes/remediation regularly, for example once a year, to keep the certifications valid.
Pen-testing has even a multi-value in this case, providing actual insights into the security grade of companies relevant systems AND making sure the business critical certifications are not impacted.
Use case 4: Mobile application
A company has one or more own developed mobile applications available in the application stores worldwide, iOS and Android. For this use case a very similar pen-testing benefit is valid as for “Own developed web-application” – the major difference is an additional layer of integration into the application stores and testing the possible vulnerabilities there.
There are lots of other use cases of getting great leverage from pen-testing (e.g. network security, clients security, cloud security, etc.) and we’ll come back with them incl. some details later in our upcoming blog posts again.
