January 28, 2021
Proactive cybersecurity protections are critical to overall product success due to increasing risk, combined with consumer and enterprise awareness of cyber practices and their impact. River Loop Security works with a wide variety of organizations to secure their products; as a result we have seen the effectiveness proactive security has on their success. One tool that we often draw upon is penetration testing (‘pentest’ for short), or the act of simulating a scenario in which a malicious actor is attempting to penetrate a device or system. From this scenario, we are able to emulate the attacker mindset and see things that are often missed during regular code review or quality assurance, resulting in valuable feedback that can be used to further secure a system. In this post we will be discussing some key advantages penetration tests provide, the differences in testing during various stages of the product lifecycle, along with some of our methodology on how we work with teams to provide the most value during a penetration test.
Benefits of Penetration Testing
There are a multitude of benefits that penetration tests provide. Not only do they find security flaws in your design before a malicious actor does, but adopting the attacker mindset may find items that are missed during normal code reviews. The flaws found during testing are turned into actionable remediation plans which assist teams with the technical implementation of changes to better secure products. Further, this helps build an in-house understanding of the causes and remediations to vulnerabilities. This greatly increases the technical depth of engineers and empowers them to reason about security in the future. We often also provide feedback on areas where a product design exposes an increased risk of manifesting a vulnerability in the future so that teams can reduce their risk exposure as much as possible.
Penetration Test Roadmap
So you’ve decided that performing a penetration test is beneficial for your organization. Now comes planning the execution. Our best advice here is to engage with your security partner as soon as possible. We have seen repeatedly that organizations receive the most value when they engage with us earlier. This allows us to understand goals and product designs, and jointly develop the ideal roadmap to success.
Engaging During Design Phase
If you’re in the process of designing and engineering your product, the ideal time to perform a penetration test can be difficult to determine. The product should be mature enough so that the design is reflective of what will be deployed to customers – a pentest on something that doesn’t make it to market doesn’t provide value to your organization. However, you don’t want to perform the pentest so late in the design process that all designs and technical considerations are fixed. This prevents security findings from being easily remediated. In fact, sometimes findings can not be remediated at all due to design limitations baked into the hardware, resulting in either expensive design changes often delaying release or shipping a product in a known insecure state. This is why we highly recommend engaging with us sooner rather than later so we can point out these common pitfalls to avoid those expensive mistakes.
Engaging Post Design Phase
This dichotomy of timing needs to be balanced and we often describe this balancing as “threading the needle”, where we attempt to find the most ideal place in the design process to perform a pentest. What if your product is already in the market? In this case, it is still possible to perform a pentest, and we highly recommend doing so. Even though findings are easier to fix during design and development, we have extensive experience working with engineering teams to produce technical solutions to security vulnerabilities, even when the product is already in the field. From a high level, there are a few things to consider when planning your penetration test on a product already in market:
- Maintaining Production Availability: Penetration testing production systems can be risky and limits the types of testing we’re able to do (to maintain system stability). We recommend testing against a staging environment where system uptime and functionality doesn’t have an effect on user experience to allow for appropriate testing.
- Roadmap Considerations: Consider and make us aware of any expected changes to architecture, software, or firmware so that we can properly take those changes into account when testing. There is no sense in spending valuable resources testing something that won’t exist in a few days!
- Test System Availability: If hardware attack vectors are being assessed, it is helpful to have multiple samples of the target device so we can expand our testing to attack methods which affect the device stability. Access to multiple devices prevents these stability occurrences from disrupting the pentest.
Shared Considerations
Whether or not you’re performing a pentest during the design process or on a product already in market, we will engage with key players on your team to ensure your organization gartners the most value from the pentest. This can include everyone from engineers to executives. There are a few advantages to this approach:
- Background: Teams often provide broad clarity regarding technical design implementation. This helps to ensure testing accuracy.
- Motivations: We always want to understand the drivers behind decision making. This gives us insight into the thought process behind a design.
- Maintain Vision: We are enablers, not blockers. Wherever possible, we try to fit security into the original product vision to maintain the creativity that makes your teams stand out.
- Big Picture: We always try to engage with upper leadership, gaining an understanding of the strategic landscape, allowing for testing to be performed with those goals in mind.
In either case, the earlier your organization engages with us the better we can assist with the larger strategic questions surrounding product security. It is our passion to help organizations secure the products they release to market to realize not only their success but also the safety of the end consumer. We want to help you as well, feel free to browse our services page to learn more about how we can help you!
About River Loop Security
River Loop Security is a cybersecurity services firm with deep expertise in IoT, embedded and wireless systems, and supply chain security. River Loop Security provides services including security architecture design, penetration testing, cryptographic protocol design, and security incident response for firms in industries including medical devices, telecommunications, critical systems, and others, with the goal of helping its customers build and deploy more secure products and services which they can stand behind in the market.