Hack your own app: Penetration Testing at Haven Technologies
By Mike D.
Security, like any good defense, requires effort from every player on the field. Here at Haven Tech, we strive to be that Steel Curtain of defense — just like the 70’s Steelers (How I assume Mean Joe Greene would put it if he worked in Infosec: “One Lean Mean Security Machine.”)
Dated football references aside, we accomplish this through a team-wide effort with several programs that enable our developers to become security aficionados. With our developers empowered with this knowledge, our security becomes strengthened at every level of development.
The Best Defense is a Good Offense
One of the easiest ways at Haven Tech for us to reinforce our security is through penetration testing, which is done from the white box perspective (full source code available) with the aid of our developers. This testing utilizes both the intimate knowledge of our developers on the application/environment, and the experienced testing of our Information Security team. Which allows us to explore, document, and remediate vulnerabilities that traditional automated scanners would miss.
We acknowledge the benefit of penetration testing, however, this approach leaves much to be desired for the fluid nature of security and development. That’s why Haven Tech empowers our developers to become security champions, and learn these penetration testing techniques, with proper rules of engagement to make our security program consistently more impactful.
With Great Power Comes Great Responsibility
There is an inherent risk that comes with penetration testing due to the offensive nature of requests we submit to our environment. We mitigate that risk in two ways:
- Proper Policy/Procedures
A) Testing in lower environments with no live data
B) Non-Destructive manual testing - Education
That being said, we found that most security practitioners have nightmares about writing lines of policy, and everyone else has nightmares about reading them. That’s where education shines through and allows us to teach proper rules of engagement that follow policy in a more digestible format to our users.
Using our penetration tests as a platform, we are able to illustrate real world vulnerabilities, remediate exploits before production, and most importantly, educate our developers on techniques that can later be put into practice to strengthen our security.
Do or Do not. There is no try.
When building an internal program for penetration testing, it’s important to not overlook the practical side of things. Learning exploitation techniques in a classroom setting is key to giving context and background on an issue. However, in the real world, attack chains do not always have the luxury of following the script 1:1.
Due to the amazing nature of containerized applications, it is easy for Haven Tech Developers to spin up a playground that exactly matches our production environment. With this environment, they are able to practice and find exploits that are unique to our applications.
For those thinking about creating their own penetration testing program, alternatives exist for training that do not require containers or testing in your own environment. Both OWASP WebGoat and OWASP Juice Shop provide trustworthy, easy to set up applications that yield a playground for learning.
“Talent wins games, but teamwork and intelligence wins championships.”
It’s easy to see the intelligence, dedication, and skill of the entire development team at Haven Tech, especially from a security perspective. While having a great team is important, the aspect that makes our Information Security team sleep better at night is everyone’s willingness to “buy in.” This buy-in mentality happens at every level of our organization — from developers, QA, and even C-level executives; everyone contributes to security.
It takes a village to secure a product, and everyone contributes to making our platform secure and trustworthy for our users.
