In May 2023, Infisical commissioned cybersecurity firm Oneleet to perform a full-coverage, gray box penetration test (pentest) against the application's entire attack surface to identify vulnerabilities, according to industry standards (such as OWASP ASVS, WSTG, TOP-10).
In this article, I share my experience spearheading the pentesting initiative for Infisical that is our motivation and how the procedure went down for other companies that may be considering undergoing a pentest.
What is pentesting?
Pentesting or ethical hacking is a simulated cyber attack against a computer system, network, or web application to identify vulnerabilities that could be exploited by malicious actors. The goal of pentesting is to identify weak spots in security posture which can be used to fine-tune security policies, patch vulnerabilities, and enhance overall security measures.
Why should you do a pentest?
There are plenty of compelling reasons to do a pentest. Here are a few that stood out to us and that may be relevant to you:
- To proactively uncover and remediate security vulnerabilities before malicious actors discover them and, in doing so, strengthen your organization's security posture.
- To ensure compliance with standards like SOC 2 and ISO 27001 where policies may require your organization undergo pentests on a regular basis.
- To increase trust between you and existing/prospective customers, especially when your business handles sensitive data.
As an open source secret management solution with security at the heart of everything we do, Infisical undergoes full-coverage pentests at least twice per year to ensure that the codebase is kept secure. That said, it may or may not make sense to do a pentest early on depending on the nature of your product/service, the sensitivity of data handled by it, the complexity of your systems, your organization's risk tolerance and compliance requirements, etc. The stage of your company may also matter since, for example, a pre-product market fit company may be concerned more with shipping product out the door quickly to ascertain demand rather than securing it.
Ultimately, the decision is multifaceted and must be judged on a case-by-case basis.
What firm should you hire to conduct the pentest?
You should hire a firm with a demonstrated history and track record of pentesting; ideally, it is also affordable for your company. With nearly a decade of experience performing pentests for 100+ companies and positive reviews/feedback from within the startup community, the team at Oneleet felt like a strong fit for Infisical and we were quick to get started.
What is the structure of a pentest?
Depending on the scope of the engagement, you can expect a multi-step sequence spanning one or more months. In our case, we followed a four-phase roadmap:
Information gathering: This step involved a call with Oneleet and assigned testers to determine the scope and timeline of the engagement, provide background information about the platform stack and infrastructure, and prepare for the test such as by providing the team access to a staging environment.
Pentest start: The pentest itself involved two testers manually performing a large number of tests on the application with extra attention paid to vulnerabilities that could cause serious damage to Infisical.
Reporting: After the pentest, Oneleet delivered a report consisting of an executive summary, a detailed finding section, and recommended remediations for the findings.
Remediation & retesting: Finally, the team at Infisical remediated any findings within the following week. During this period, Infisical maintained regular communication with Oneleet who were very responsive to inquiries. Following remediation, Oneleet provided a remediation report and letter of attestation for the conducted pentest.
Do you recommend doing a pentest?
Definitely — We had a pleasant experience working with Oneleet.
On a final note, we recommend doing a pentest at least once a year; we also recommend shaping a comprehensive security strategy early on and getting certified for compliance standards like SOC 2 and ISO 27001 early on. Prioritizing these initiatives early on help maintain your organization's security posture in the face of malicious actors and strengthen trust between you and your customers.
Top comments (0)