Third-party penetration testing (also known as a ‘pen test’) is not an overly familiar term to many organisations. However, as the number of security breaches and cyberattacks grows inexorably, the demand for pen tests is growing rapidly. So, what is a pen test, and what benefits does it provide?
Testing and assessing security vulnerabilities
Penetration testing (‘pen testing’) is a security exercise that employs a specialist provider (using ‘ethical hackers’) to probe and assess an organisation’s security vulnerabilities using a defined and open process. The aim of the test is to reveal security vulnerabilities in networks, applications, physical facilities and even individuals so that any weaknesses can be fixed.
In turn, of course, this has implications for compliance, particularly around the secure storage of personal data. The thinking behind pen testing is simple: “If an ethical hacker can break into your systems, then so too can a real hacker”. Of course, the difference is that the ethical hacker is working for your organisation with the aim of helping to strengthen security.
A pen test is a risk assessment of security processes and systems offering multiple benefits, such as:
- Identifying vulnerabilities before criminals do and eliminating weaknesses that could be exploited in the future.
- Increasing resiliencies against cyberattacks to ensure continuous business operation.
- Reducing the cost of security attacks.
- Increasing security protection by challenging your existing strategy, particularly for key business assets.
- Meeting compliance obligations with a verified, secure solution.
- Creating a security-conscious organisation.
That’s why Touch invests significantly in performing regular OWASP-based third-party penetration testing by an external specialist. Ensuring that our systems and data are as secure as they can be, means that our customers can rest assured that Touch is keeping their data secure and safe.
What is OWASP penetration testing?
Open Web Application Security Project (OWASP) penetration testing is designed to identify, safely exploit, and help to address security vulnerabilities in an organisation. Any weaknesses found can then be rectified before they can be exploited.
On an initial basis, it assesses the security of applications to identify vulnerabilities outlined in the OWASP Top Ten [see below]. This list is then used as a starting point for supporting web application developers and DevOps teams, and in helping organisations to become security aware.
What is OWASP and its current Top Ten list?
OWASP is a non-profit organisation founded in 2003. Its mission is to improve software security by providing open-source tools, techniques, and mindsets to increase application security in software projects. It also provides free educational content on security testing.
The OWASP Top Ten provides a standards-aware risk assessment of the most common security threats and vulnerabilities found each year, and as such provides a starting point for building a broader security strategy.
The current OWASP Top Ten (the most common security risks in 2021) is:
- Injection flaws
- Broken authentication
- Sensitive data exposure
- XML External Entities (XXE)
- Broken access controls
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure de-serialisation
- Using components with known vulnerabilities
- Insufficient logging & monitoring
The benefits of OWASP pen testing are multi-fold. As well as identifying and addressing vulnerabilities and reducing the risk of data breaches and disruption to services, it can also provide better assurance for standards and compliance regulations such as PCI DSS, ISO 27001, and the General Data Protection Regulations (GDPR) and NIS Directive.
Touch performs regular third-party penetration testing
At the same time, it provides a platform for improving software development and quality assurance practices by providing organisations with insight into security threats and risks, while supporting better-informed future security decisions.
Touch conducts OWASP pen testing at least once a year – the recommended regularity – but sometimes more frequently when major software releases or updates are made. Tests are conducted by a third-party specialist provider that conforms to the highest legal, ethical and technical standards, and follows best practices.
Validating our security program and demonstrating our security, including audits and open and transparent processes, in this way benefits all our customers by providing peace of mind that Touch is not only ensuring the security of their data, but also helping them to meet compliance obligations.
Get in touch to find out more about how we ensure the security and integrity of your data.
Seamless Genesys integration with Touch Call Recording Service
Contact centres are evolving to become a centralised engagement hub that spans the entire omnichannel customer journey, and organisations need to keep pace with these demands. Genesys offers a market-leading customer integration platform, with both on-premise and fast-growing cloud solutions – which is already integrated with Touch Call Recording Service, along with over 50 other channels, to meet your needs for quality monitoring and customer advisor training.
Touch embraces sustainability with hydro-powered data centres
The environmental impact of energy-intensive data centres is well documented. That’s why Touch is embracing its corporate social responsibilities with data centres fully powered by clean energy.