Why do we preform security testing?

Security testing is a blanket term that covers the process of checking a system, network, or piece of software for vulnerabilities that hackers and other threat actors can take advantage of. Security testing can come in many forms, the main forms of security testing (arguably) are:

Vulnerability Assessment: an automated security test using tools to scan your systems or applications for security issues. These tools are called "vulnerability scanners", and they perform automated tests to uncover flaws within your applications or infrastructure. The types of flaws could be application-level weaknesses, cloud configuration issues, or simply surfacing software with missing security patches (one of the most common causes of cybersecurity breaches).

Penetration Testing: Primarily a manual assessment by a cybersecurity expert (although it is usually supported by vulnerability scanning tools), as well as determining the extent by which threat actors can exploit vulnerabilities.

Penetration testing is a great way to find the greatest amount of new weaknesses possible, but you should consider how quickly you get alerted to new vulnerabilities after the security testing has completed (not quickly enough, you're going to want a constant vulnerability scanner for that).

A company under the name of Vera code released a State of Software Security Report that revealed 83% of the study sample, comprising 85,000 software applications used by 2,300 companies worldwide, had at least one security vulnerability discovered during an initial security test. Without the security test, these flaws would have been released into production making the software exponentially more vulnerable to cyber attacks. Two common reasons to perform security testing are as follows:

Third-party or customer requests. If partners or customers have specifically requested that you perform security testing to ensure that their customer data remains safe from cyber attackers – you may have more stringent requirements. However, there can still be room for interpretation. It's very common that customers will require a "penetration test," – but they rarely specify what that means exactly.

Compliance certifications and industry regulations. Many industry regulations or compliance certifications also require organizations to undergo regular security testing. Common examples include ISO 27001, PCI DSS, and SOC2. These standards specify the testing required in various levels of detail, but even the most specific doesn't specify exactly how or what to test, as it depends on the scenario at hand. For this reason, it's often accepted that the company being tested is best placed to determine what level of security testing makes sense in their scenario. So you may find the guidance below is still useful in determining what and how to test.