When did you last do a penetration test on your web application?

First of all, what is penetration testing??

According to Rein Luhtaru, Senior Cyber Security Specialist in KPMG’s cyber team, penetration testing of web applications is an exercise where cyber security specialists play the role of an attacker. “We have specific security requirements and standards and we check that the applications comply with them. To do this, we apply the same techniques and tools that real attackers use.”

The difference between testers and real attackers is that KPMG’s testers have been authorised to carry out these activities. “While performing these operations, we ensure that we do it in the least disruptive way possible. We don't take down the application we are testing or make it more accessible to others in any way,” he explains.

In addition, KPMG’s cyber team log all their activities and issues identified. “We will present the detected security vulnerabilities in a way that is easy for the client to understand so that they would be able to protect themselves against similar attacks and solve the issues we have identified,” Luhtaru says.

Jaan Vahtre, Cyber Security Specialist at KPMG, adds that the testers have a specific objective and scope of work agreed upon with the client in advance. “There is nothing mystical about the testing; we work to an agreed standard and rely on a sound methodology,” Vahtre says.

Real risks to be considered

According to Luhtaru, the worst misfortune a client can incur is when their or their customers’ business data is stored or processed insecurely in a cloud where the data is easily accessible to cybercriminals.

“Material damage incurred when a service is down is one thing, but one cannot underestimate reputational damage, the extent and financial implications of which are often very difficult to measure. At first glance, it’s not easy to tell how much damage has been caused if your clients no longer trust you and stop buying your services,” Vahtre says.

Luhtaru adds that all it takes to lose your customers’ trust is one data leakage incident. “It is typical, of course, that employees are not well trained. There have been many cases where an attacker enters the system through one computer, encrypts all company’s assets, accounts and everything else, so the company can no longer continue its operations.”

Vahtre adds that, regrettably, there are cases every week where, in addition to technical methods, attacks are also successfully carried out by manipulating people.

To prevent this, Luhtaru recommends that companies send their developers to relevant training courses to learn to pre-empt problems and recognise attacks. “The development team should also participate in these courses because if security is built into the development cycle from the start, it will spare you many problems later.”

The financial sector is a few steps ahead of the others

“Overall, awareness is greater in the financial sector, which lays more emphasis on and allocates more resources to ensuring cyber security. Here, the risk of being attacked is certainly higher than in some other sectors. But when you listen to the news, awareness in other sectors has also risen significantly over the past few years,” Vahtre says.

In his opinion, it is high time to think about how to raise awareness in all sectors and areas of activity to a higher level than it is today. “I have to say that awareness is especially low when it comes to the security of mobile apps,” Vahtre notes.

But how can businesses protect themselves from attacks, and what lessons can be learned from penetration testing? Luhtaru replies that a company should certainly order a penetration test if it has developed a new version of a web application or plans to put it into wider use. “After testing, we will describe the problem areas and security bugs in a way that the average developer can understand and fix them,” he adds.

A penetration tester’s job is to be the bad guy?

Vahtre adds that when a client has commissioned a development job from a third party, then KPMG’s team can visit the developer with the client to discuss the identified vulnerabilities and threats and explain how these could be taken advantage of. “Together, we can devise an action plan to remedy these weaknesses or reduce their impact.”

Luhtaru, who also has long experience working on the development side, knows all too well that when companies ask developers to test applications, they never test them from a security point of view. “Usually, the only thing that matters to the company is the business process and that they can make money with the application. As a rule, security or risks are unfortunately not considered, and the main focus is on attracting customers to use their products, without considering that users can also be malicious actors.”

However, penetration testers’ job is to focus on negative scenarios and play the role of a malicious customer who wants to harm the company whose services they use, Luhtaru describes.

What about ‘do-it-yourself’ penetration testing?

Could companies conduct penetration testing themselves so that they would not have to order the service every time?

According to Vahtre, developers should indeed implement a security testing standard and follow it in the development process, but it is not a substitute for periodic and dedicated security testing.

Luhtaru adds that KPMG’s experience shows that even though anyone can use a vulnerability scanner, the problem is that not everyone can interpret whether its findings are positive or negative or what they actually mean.

“What we have seen in our practice is that there is a big difference between whether a penetration testing scanner is run by a regular employee or even an IT specialist versus an external service provider. In addition to looking at the scanner’s results, an external penetration tester can analyse the application systematically and predict what the attacker would do next, how they would take advantage of a specific exploit to penetrate deeper and obtain even more information about the company,” Luhtaru explains.

Penetration testing requires creativity

According to Vahtre, automated tools cannot understand the business logic of a company. They cannot assess threats adequately or combine different vulnerabilities to carry out attacks that are more sophisticated. “This work requires a lot of creativity: we look at each application separately, as their attack vectors are different. Business logic cannot be tested using a single pattern,” he argues.

Luhtaru sums it up by saying that the most important thing about outsourcing penetration testing is looking at the situation with fresh eyes. “Someone who hasn’t been involved in the process will see the application from a completely different perspective than, say, a developer who has been developing it for the past six months. We use the same approach internally within our team when we are doing several test runs of the same application. We change the testers within the team just to have a fresh look, which may reveal an error we hadn’t noticed during a previous test run.”

Jaan Vahtre
Küberturvalisuse spetsialist
KPMG Baltics OÜ