What do SAST, DAST, IAST and RASP Mean to Developers?
SAST, DAST, RASP, and IAST help identify vulnerabilities in the development phase. What are they, and when should you use them? Find out more today.
The importance of not eliminating low-hanging fruit before a penetration test
TL;DR:
Low-hanging fruit is a common term used to describe items that are easy to obtain. If you think of it literally, the most straightforward fruit to get from a tree is the fruit that is closest to the ground. Low-hanging fruit can be gathered without much effort compared to other fruits on the tree.
In the context of cybersecurity, many companies try to deal with security vulnerabilities that are low-hanging fruit before conducting their penetration test. There are several reasons a company may do this. Firstly, the security department may want to do this so that the penetration testers will report fewer vulnerabilities, making it look like they did a better job than if several vulnerabilities were discovered. Secondly, companies may not want to pay for extra work on behalf of the penetration testers. Therefore, they may try to fix vulnerabilities in advance so that the penetration testers will find fewer issues, and consequently, the penetration test will be less expensive. Thirdly, companies may want to ensure that penetration testers are focusing on finding vulnerabilities that the company isn't aware of. By getting rid of the low-hanging fruit, the company hopes the penetration testers will have to dive deeper and find hidden vulnerabilities that the company wasn't already aware of. While many of these may seem like good reasons, we recommend that clients don't waste their time eliminating low-hanging fruit before a penetration test.
Once you decide that you will have a penetration test done, there are much better things that you can invest your time doing than trying to rush the resolution of security vulnerabilities before the test. In this article, we will highlight some of the main reasons why you shouldn't try to resolve low-hanging fruit before a penetration test.
One of the main reasons you pay for a professional penetration test is so that you can rely on their subject matter expertise on how to resolve security vulnerabilities. Suppose a vulnerability has been lingering in your organization. In that case, it's more time-effective to allow the penetration testers you will be paying to give you a remediation plan and plan out all of the remediations at once. There's no need to rush remediation for low-hanging fruit and then go back once the test is complete and implement resolutions for the other issues they find. You're better off waiting until the test is done and implementing all solutions simultaneously. Spend time before the penetration test working on other issues in your environment because regardless of whether you try to resolve the low-hanging fruit or not you will have a lot of solutions to implement following the test. Implementing all of these fixes at once is more time-effective.
Another reason you don't want to prioritize low-hanging fruit before a penetration test is because security is about risk management, not the number of bugs. Rather than dealing with the easiest issues, focusing on the problems with the highest priority/the most significant risk is essential. Before a penetration test, it's better to spend time identifying what IT assets are the most important to your business so that security researchers know what assets need to be protected the most and can focus their efforts on those areas. Low-priority items that are easy to fix can be resolved at any time. Rather than focusing on these low-impact items, find ways to focus on the more significant issues affecting your environment.
This is probably the best analogy for understanding why we recommend clients don't try to resolve their security vulnerabilities before a penetration test. Someone hires a personal trainer to get guidance and expertise on the best way to become fit. While you can work out independently, you will be more efficient and effective by working with a competent personal trainer and following their plan. The same thought process is valid here. You are hiring a penetration tester to leverage their expertise in finding security weaknesses and providing recommendations on how to fix them. Remember, a good penetration tester doesn't just find and report vulnerabilities. They are also masters of finding ways for their clients to resolve vulnerabilities and achieve a secure state. You will be much more efficient in resolving security vulnerabilities if you wait for expert guidance.
Another reason you don't want to start resolving issues before the penetration test is you won't know where to start. There can be hundreds, if not thousands, of vulnerabilities in any given environment at any given time. Without proper guidance, knowing which low-hanging fruits are worth fixing and what issues should be prioritized over others can be challenging. Sometimes it's simply infeasible to address all the problems in your environment, and in some cases, the issues may be false positives that don't need to be addressed. By waiting until the penetration test is conducted, you can be sure that you are only spending time on issues that need to be addressed, making the most efficient use of your time.
Within cybersecurity, Low-hanging fruit are vulnerabilities that are easy to detect and resolve. Many companies think that they should resolve low-hanging fruit before conducting a penetration test to look better as an organization or to make the penetration test more effective. However, for several reasons, we don't recommend this approach. You are going to be far more efficient with your time and effective with your manpower if you wait until after the penetration test to perform your remediations. Remember the saying "You don't try to get fit before going to a personal trainer". Once you commit to hiring a professional, it's best to leverage that person's expertise to ensure that the work you are doing will be effective and the fastest way to get you to your goal. By relying on your insight, you run the risk of wasting time and money that could have been better spent on a more effective strategy.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
The advantages and disadvantages of testing on staging compared to production. Which one provides more value.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support