In cybersecurity, several terms are closely related to each other, such as application security, security audit, security assessment, and penetration test. They are often misunderstood even by cybersecurity professionals. We must speak the same language as our customers and colleagues, so we decided to elaborate on them. Hopefully, you will be able to distinguish them when done reading this post.
Intuitively, you could guess that Application Security is the broadest term. Indeed, despite the attempts to narrow it down to specific areas, application security covers a great deal of knowledge. The OWASP Software Assurance Maturity Model (SAMM) provides a well-structured map of application security practices. In that model, Penetration Testing belongs to the section on Security Testing, while audits and assessments fall between Security Testing and Compliance Management. All these are essential practices within the Application Security domain but are far from comprising even half of it.
Now to illustrate the difference between an audit and a penetration test, let us look at the following picture.
As you can see, the audit is a practice that covers the least scope and consumes the most information available on the audit subject. The audit scope is always precisely defined, usually by a standard or policy. The audit outcome compares the organization’s controls and practices for a specific period versus a standard or another set of requirements. And as a result of this comparison, an auditor issues either compliance confirmation or a report full of non-conformities.
Similarly, a security assessment uses a framework as a benchmark for measurement. However, it usually is less focused on compliance and more oriented toward business risk mitigation. Assessments focus on a point in time instead of a whole period: now instead of during the last six months. An assessment report typically contains not only the findings but also remediation guidance.
Penetration Test is a controlled simulation of a realistic attack. This exercise aims at measuring the target’s resilience to a real-life cyber threat. Although there are methodologies that describe the tactics, tools, and procedures available to attackers, in reality, they cannot be applied altogether in a single project. Like a real attacker who will use the shortest path to get you, a pentester will apply the most efficient techniques to penetrate your defenses. Unlike an attacker, a pentester will present you with a comprehensive report on identified flaws and how to fix them.
None of the above practices make an organization or an application completely secure. An audit provides assurance that it is compliant with a standard, whilst security assessment and penetration test demonstrate how your business can be harmed and how to make it less likely. To reasonably expect that you are protected from cyber threats, you should apply a combination of practices: some to secure your organization and infrastructure, others to protect your software and customers. However, it is virtually impossible to have any hard proof that the security objective is achieved. If someone tries to convince you that something is secure because it passed an audit or had a penetration test, you should rather treat it as a misunderstanding of these concepts, or a manipulative statement.
Where does Berezha Security stand related to the discussed practices? For sure, Application Security is our main domain of focus. More than 80% of our projects are directly related to software security. We do provide penetration testing and security assessment services, but we do not conduct audits. We also do training and consulting and help implement application security practices.
I hope that this post will help you better understand what security services your organization needs the most. And we are always here to help. Stay safe and take care.