[sillysaurus3]

Only because most organizations don't know how to be effective at security.

It's not hard. You don't actually have to change much. You just have to schedule regular pentests, ideally every couple weeks.

Pentests protect everyone because it's our job to worry about all of the security flaws that you can't possibly be aware of in your normal day-to-day development cycle. There's just too much for any organization to know about except security companies. This way you can focus on development and we can focus on pointing out how to fix what's broken.

[paulmd]

Pentests aren't a magic bullet either. You can easily find a consultant who isn't going to rip you a new one.

Security is a mindset. Any "checklist" approach will eventually devolve into ass-covering by an organization that is not internally motivated to run a tight ship. Legitimate variances will be hassled to no end, while actual security vulnerabilities will be ignored.

[sillysaurus3]

In the real world, one of the only reasons people get pentests is because another company is forcing them to. That results in a document saying company B is secure.

This is a very effective approach at cutting through ass-covering. Company B has to fix the security problems uncovered in the pentest. There is no other option. And I've seen it take products from "SQL injection by typing an apostrophe" to "It'd be very difficult to exploit this app."

If that's not proof that pentsts are effective, then I'm not sure what would be.

We like to say that security is a mindset, but developers have way too much on their mind to be aware of every possible security vector. It's easier and more effective to punt and let us worry about it instead.

[Consultant32452]

There's different levels of penetration testing too. I worked at a SaaS startup and when we got our first big customer they demanded we get a third party to run a pen test on us. They basically ran their script and gave us a report. There might have been some minimal going back and forth about some false positives, but that was about it. That's better than nothing, but may not be what some of the more technically/security minded folks here at would consider a real pen test.

[hutzlibu]

"It's not hard."

No, it is not, you just need skilled people working on it. Oh, those people want money for it ...

[davidbanham]

Exactly. It's not hard, it just costs some money.

It's exactly the same as physical security. You build fences and buy locks. You pay people to keep an eye on things. You take insurance to cover the rest of the risk.

Nothing hard, no new inventions required. It just takes some attention and cash. It's part of the cost of being in business.

[joe_the_user]

Wait, the hardness of information security comes because it has to be built-in everywhere since everything is connected and so everything is a potential attack surface.

It's not impossible but it requires a somewhat universal attitude change.

[sillysaurus3]

I want to agree with you in principle, but in practice it's not possible to be secure with just an attitude change. The attack surfaces have grown too large. Keeping track of all possible vectors is a full-time job in itself. You either need a dedicated security person or regular pentests. And honestly, regular pentests are probably more effective.

It's a positive statement though: it is possible to be constantly secure if you just get a pentest every few weeks. Big companies can even afford to make it a requirement of their release cycle.

[noxToken]

> Big companies can even afford to make it a requirement of their release cycle.

Oh man. I have a peer who works for a very large international company. They require pentests in their release cycle. What could go wrong?

Turns out that pentesting isn't in the final portion of their release. They tag a release candidate (e.g. v5.7.0-rc), send that build to the pentesters, then fix other integration and user-acceptance bugs while the pentesters are working. The pentesters may greenlight v5.7.0-rc when it's really v5.7.3-rc that's shipping, and the pentesters are none the wiser.

Security only works when the culture supports it.

[joe_the_user]

Attitude change in the sense of not being willing to allow inherently insecure architectures - management always moving the company towards secure-on-principle architectures (not that I'm qualified to say if it's a good example but Google's BeyondCorp is an example of aiming to make everything secure on principle meaning not leaky on principle). That added to any pentesting or other necessary immediate security measures.

The impression I have is that today's event was the result of a lot of companies allowing insecure-on-principle architectures like a zillion apps each with their own update structure (random Ukrainian enterprise app supplier gets penetrated and the whole world goes down). A pentester might never be able to find that vector until that app supplier leaves their door open or someone finds out about them for example.

[joe_the_user]

And people skilled at picking the skilled people and a willingness to actually do what the skilled people say... when those skilled people aren't necessarily the same as the managers shouting managementese...

And this also collides with the willingness to do anything to save a couple of dollars and once that dictate isn't flowing through every once of the company's blood, who knows what will happen.

[edejong]

Pen-tests show the presence if vulnerabilities, not their absence.

To make secure systems, we need to take the (very) difficult road of working our systems bottom up and proving the absence of vulnerabilities and defining the boundaries of safe operations.