Picture this: You’ve just spent the past few days (or maybe weeks) working alongside your development team and the penetration testing service you hired. The test environment was created, the access was granted and the tests were run. Now, that final report with your results have been delivered and it’s longer than you expected (possibly way longer).
The results may shock you, but look at it this way: it’s a good thing you decided to do your due diligence. You’re now one step further ahead of the real hackers who are out to steal your data. View that report as a goldmine of data. That data can be turned into information with specific insights on how to improve your security posture.
So, here’s your quick and dirty guide on what to do with the report to make sure that your application is confidently secure.
Unlike other assessments, pentests complete a simulated attack and deliver real-time information from a hacker’s perspective. Penetration testers will fully understand your unique attack surface and apply a testing methodology that will check for potential vulnerabilities and compliance requirements that are holding you back from security. This type of security assessment has the potential to uncover blind spots and vulnerabilities that an administrator can’t see. As a result, you’ll get some of the most valuable insights from this assessment.
But those insights are only as valuable as what you do with them. Here are the steps to take following the test to get the most out of your results.
Whether you’ve performed a full test or simply re-tested the latest software update, your report will contain precise documentation of all known issues. This typically includes screenshots and other supporting evidence.
Pay careful attention to these and present the full report to your team to debrief. In other words, don’t assume something is unimportant or extra and leave it out just to save time. Review, discuss, and make sure everyone is on the same page about your pentest results.
At this point, it’s wise to compile a list of follow-up questions for your pentester. They’re usually willing to talk about results, clarify or explain points, and provide additional insights into the results of a pentest.
Pro insights: Research has shown repeatedly that businesses routinely exhibit overconfidence in their cybersecurity. It’s okay to know that most companies actually unknowingly push vulnerable code into production. On average, only 5% of companies actually have proper protection on their data. So, if you have more vulnerabilities in your code than expected, recognize that you’re one of the few on the right track to building a better AppSec or WebSec program.
A good report from a reputable company will include everything you need to replicate each issue that they’ve found. Make doing so a priority as soon as possible.
There are two big reasons for this.
First, opportunities for false positives exist. These are instances where something gets flagged as an error, when in reality it’s working perfectly fine.
Second, reproducing errors or vulnerabilities will help you to understand them internally. Vulnerabilities can take many shapes, and allowing your team to practice finding and identifying known security flaws empowers an internal security culture. As they learn where security bugs can be found, they also learn how to build more secure code by design. In turn, each update will run less risk, and less team effort will be needed for patching errors after launch.
If you aren’t able to reproduce an identified issue, get a hold of your pentester. A reputable service will be willing to assist and take a second look.
3. Rate Each Risk
If the pentest results returned more than one error, you’ll need to rate them according to severity. That will help you get a sense of where the team must focus its efforts.
At this point, it might prove helpful to acquire a scoring system framework. The Common Vulnerability Scoring System (CVSS) is the most popular open framework for scoring the severity of security threats. It uses a set of base metrics to help you calculate a score from 0 to 10 for each item.
A great characteristic of the CVSS is that it works with the National Vulnerability Database (NVD). If your pentesters identified known vulnerabilities, then you can simply look up their scores in the NVD. It’s worthy to note that the NVD only provides CVSS ‘base scores’ which represent the innate characteristics of each vulnerability. However, the NVD doesn’t provide ‘temporal’ or ‘environmental’ scores. These are metrics that change throughout time due to events external to the vulnerability and scores tailored to reflect the impact of the vulnerability on your organization, respectively. Software Secured bases our scoring on a mix of industry standards - learn more about our scoring here.
This CVSS calculator allow you to calculate the ‘temporal’ and ‘environmental’ scores. It also provides more in-depth information about calculating the severity of vulnerabilities.
Once you’ve rated each risk, prioritize them with the following ratings: