Over the past few months, we have had several customers ask us about when is the right time to penetration test a new application in their environment. Right off the bat, we like this question, because it recognizes the fact that a new application needs a penetration test. You never want to roll a new application out to production without testing it, as the application is not only at risk itself but it also places all systems in your environment at risk if it gets compromised. So now that we have established the need for a test, determining when you should test a new application is a bit more tricky. In this blog, we will explore when is the appropriate time to have a penetration test performed on an application.
Do Not Test a New Application Too Early
It is important that you do not test a new application until it is fully functional and in its final form. This means that all core functionality and the intended feature set for release is in place and has been verified. The reason you don’t want to test too early is two-fold. First, if anything within the application changes, or new functionality is added, that new code has not been tested, and therefore might be vulnerable. A lot of times, the parts of the application that are not implemented may play a significant role in the security of the application. Second, as part of a web application penetration test, if something doesn’t load properly or throws an error, that is an indicator to the test team that there may be something we need to look into from a security perspective. A lot of times, one of the earliest signs of a vulnerability is simply being able to produce an error. When an application is not fully functional, it is extremely difficult for us to determine whether an error was caused by something we did or if it’s just broken functionality. Forcing a third-party to assess an application too early can end up being just a best-effort test that may not be a true measurement of the risk associated with this new application.
Do Not Test an Application Too Late
Conversely, you do not want to wait and test a new application after it is live. First, before the application is live, there are obviously fewer concerns around availability data integrity. This allows the test team to really hammer away on the website, without concerns of bringing it down. Of course we perform many tests on production applications and are proficient at giving a good test without any interruptions. With that said, it is always better if we don’t need to have availability concerns as it speeds up our assessment and allows us to fully explore the risk of discovered vulnerabilities. Second, and perhaps the obvious reason, is that the second that site is live it is exposed to everyone on the Internet, including malicious hackers. It is dangerous to assume that it won’t be targeted within the first 24 hours of being placed into production. As mentioned in the intro above, if an attacker finds a vulnerability that gives him remote code execution of the underlying server, that not only puts the new application at risk, but your entire organization.
The Right Time to Test a New Application
In summary, the right time to test a new application is usually in the final stages of QA. You want the application to be fully functional and as close to production-ready as possible. For most applications, it takes approximately a week to execute a test and another week to turn around the report. So it’s a good idea to plan for 2 weeks of security/penetration testing into your project timeline.