A common question on RFPs and Tender documents for applying or re-applying to be on a lender's panel of valuers is whether your systems are regularly PenTested (an IT Jargon term for Penetration Testing or in plain english an IT security audit.
What is a PenTest?
A penetration test, or the short form pentest, is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.
The process involves identifying the target systems and the goal, then reviewing the information available and undertaking available means to attain the goal. A penetration test target may be a white box (where all background and system information is provided) or black box (where only basic or no information is provided except the company name). A penetration test can help determine whether a system is vulnerable to attack, if the defences were sufficient and which defences (if any) were defeated in the penetration test.
Security issues uncovered through the penetration test should be reported to the system's owner. Penetration test reports may also assess the potential impacts to the organisation and suggest countermeasures to reduce risks.
Penetration tests are valuable for several reasons:
- Determining the feasibility of a particular set of attack vectors
- Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
- Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
- Assessing the magnitude of potential business and operational impacts of successful attacks
- Testing the ability of network defenders to successfully detect and respond to the attacks
- Providing evidence to support increased investments in security personnel and technology
Does ValuePRO run PenTesting for us or do we have to do it ourselves?
Your ability to successfully pass a PenTest will be a combination of the security of the ValuePRO application itself as well as the choices of security configurations and settings you elect to implement. Examples of practices that are in the customer's control rather than our own and that would negatively impact on a PenTest assessment would include, but not be limited to:
- Lax password security practices - for example users sharing passwords and/or account login details
- Disabling or failing to enable recommended security settings such as password strength and expiry
- Level of Cultural Resistance to social engineering attack vectors - eg an attacker poses as a legitimate user and contacts a staff member at the customer's firm and successfully is able to bluff their way into receiving login credentials.
We recommend that should you wish to have a PenTest run, that you first consult with your ValuePRO account manager for advice on your existing practices and readiness for such a test.
What Overall Security PenTesting is done on ValuePRO?
We run controlled PenTesting on a reference implementation of ValuePRO on an ad hoc basis, usually to coincide with after we complete any major architectural or structural changes to the application or the infrastructure of the system. These tests provide us with information and recommended security changes that we make on a general baseline codebase of ValuePRO.
We then roll out security patches and updates for critical issues to existing instances and new instances will automatically benefit from improvements to our baseline codebase.