Playing the Bad Guy

There’s a widely used, approach to using external people to improve your software security. It’s called ‘Penetration Testing’. Discover how it works...


Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. (SearchSecurity)


Would it make sense for you? Lets look at the advantages and disadvantages of the approach, and then at where you might go next to set it up.


 Essentially, an external ‘white hat’ security team simulates what an attacker would do to attempt to gain access or disable the service. The white hats then feed back any ‘successful’ exploits they have found to the development and operations teams.


[Ensuring software security] tends to get handed off, in most companies I've worked with, to a white-hat hacking team. [They] don't do it a code level.  (Developer, Security-oriented phone manufacturer)


Penetration Testing can find a range of possible security problems, including various types of misconfiguration, and vulnerability to injection attacks. 




 On the one hand, it requires specialist skills, which are in short supply: if is internal to the organisation, it requires expensive staff; if external, the cost is significant.


[The problem about recruiting a pen tester is that that knowledge is really quite rare, and the attitude … is also quite rare] And finding them together is difficult. The people who do have both of those things are always in high demand. Most of them are contractors, because they can make a lot more money that way, and why wouldn’t you be. (CEO, outsourced secure web developer)


Penetration Testing cannot prove that a system is secure; merely that it lacks some common security faults. Some experts, therefore, prefer not to use it at all:


I don’t believe in [penetration] test teams, because I believe that takes away responsibility from people to do the right thing. (Security expert, Security and military supplier)


The decision whether to use Penetration Testing, as with other security decisions, is a business decision. It requires the approach discussed in our section on Security Negotiation.


A variation, requiring even more skill from the practitioners, is ‘Red Teaming’. A Red Team may use more sophisticated tactics, such as social engineering (persuading an employee to do something that assists them) or physical access to the systems involved, to achieve their goal of ‘breaking’ the system. Currently, unfortunately, setting up or employing a red team is impractical for most development groups.


  • The UK Industry body for penetration testers is CREST, which has a list of its UK member companies who've satisfied appropriate criteria here, and some international (USA, Australia, New Zealand) members here. 
  • For the USA, there's a huge list of security-based companies, including some pen testers, available from website tool vendor vArmour through this signup page, or for the 2017 version, directly here
  • Red teaming will be done by a subset of the above organisations – googling ‘Red teaming specialists uk’ provides a start.