The Importance of Penetration Testing for Businesses

What is a "Penetration Test"?

Example of Penetration Testers reviewing an application source code

Penetration Testing, also known by other names such as pentesting, ethical hacking or white-hat hacking, is a simulated attack against an organization’s systems. A pentest target can be a web application, software, network, or all of them.

Why Is Penetration Testing Important?

As companies are digitizing their business operations and processes, there is a tendency to overlook the technology risks that they come associated with. One of the major risks is hackers exploiting a vulnerability that exists within your IT infrastructure. The possibility that the hacker could take full control of your IT infrastructure becomes extremely likely once they gain entry into your internal network.

The 2018 Global Security Report from Trustwave found that all web applications are vulnerable to attack. Yes, you read that right. All applications had at least one vulnerability, and the average number of vulnerabilities found per application was eleven.

Different Types of Penetration Tests

Primarily, penetration tests are split up into the following five categories:

Network Service Penetration Tests
Web Application Penetration Tests
Client Side Penetration Tests
Wireless Network Penetration Tests
Social Engineering Penetration Tests

There are also 3 main types of Penetration testing methods:

Black Box Testing (No information is provided)
Gray Box Testing (Partial information is provided)
White Box Testing (All information is provided)

Personal Data Protection Act Guidelines

Screen grab from PDPC's Guide On Building Websites For SMEs document; Revised 10 July 2018

Under the Personal Data Protection Committee’s advisory guide on building websites for SME s, point 5.4 under Risk Management of the Website Security section states that Organizations should ensure that a risk assessment of their website is done, reviewed and updated on a regular basis.

For point 5.6 under the Security Testing section specifically states that Organizations should conduct Penetration Testing before their websites go live, and also on a periodical basis. Any discovered vulnerabilities should be reviewed and promptly fixed to prevent data breaches.

Cybersecurity Act

For Critical Information Infrastructure (CII) owners in Singapore, the Cybersecurity Act 2018 section 15 also mandates that cybersecurity audits and risk assessments must be performed at least once every 2 years, or at such higher frequency if required.

This requirement is directly applicable to the CII supporting the provision of essential services across Singapore’s 11 critical sectors, namely: Energy, Water, Banking & Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Government, Infocomm, Media, and Security & Emergency Services.

Regulatory or Compliance Requirements

There are various other certification, regulatory or compliance reasons why Organizations have to perform a pentest. For example, Organizations undergoing certain standards adoption like the Data Protection Trustmark and ISO Certifications, getting their licences under the Payment Services Act, or applying for software support funding under the Productivity Solutions Grant will need to show proof that security risk assessments were done and any vulnerabilities resolved, on a regular basis.

Where can you find Penetration Testers?

Now that you are aware of how important and beneficial Penetration Testing exercises are for your Organization, it’s time to look for trusted service providers.

Privacy Ninja has on board some of the best penetration testers that the market has to offer, at affordable rates that will be hard to find elsewhere.