What you should know regarding compliance and vulnerability analysis
Vulnerability and penetration testing are vital security measures to validate and improve cyber security defenses. They are not only needed to improve security posture but are also required by various national and international standards.
Here we outline the most widely utilized compliances that require either penetration testing or vulnerability testing;ISO 27001, PCI, SOC2, GDPR
ISO 27001 security testing requirementsA.12.6.1 – Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.Here the verbose utilized is geared towards vulnerability testing, and does not make explicit mention of penetration testing. This leaves the question of penetration testing versus vulnerability testing up to the organization. Penetration testing goes a step further than vulnerability testing, as it actually tries to exploit some or all of the vulnerabilities found, whereas vulnerability testing simply acknowledges the vulnerability but does not attempt to exploit it. The verbose utilized here does not explicitly mention the need to exploit the vulnerability, only that the vulnerabilities are found, evaluated, and appropriate measures are taken to address the associated risks.
PCI security testing requirements6.1 – Identify security vulnerabilities in your internal and external applications by using reputable outside sources for security vulnerability information and assign a risk ranking (e.g., ‘high,’ ‘medium,’ or ‘low’) to each vulnerability.
6.2 – Ensure that all software and system components are protected from known vulnerabilities by installing any applicable security patches. You must install the patches within the first month following their release.
6.6 – For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.
11.3.1 – Conduct external penetration tests at least once a year and after any significant changes or upgrades to the infrastructure/application (for example, upgrading the system, adding a subnet or webserver to the environment, etc.).
11.3.2 – Conduct internal penetration tests at least once a year and after any change or upgrade significant infrastructure or the application (for example, upgrade of the operating system or adding a subnet or web server in the environment).
11.3.3 – Vulnerabilities found during the penetration tests must be corrected and additional testing performed until the vulnerabilities have been corrected.
11.3.4 – If segmentation is used to isolate the CDE from other networks, this requirement mandates a penetration test at less once a year and following modification of the methods/controls of segmentation to verify that the segmentation methods are operational and effective.PCI requirements are thorough and require a penetration testing program encompassing at least an annual penetration test for both applications and infrastructure,as well as a vulnerability management program to ensure that identified vulnerabilities are remediated properly.
SOC2 security testing requirements
CC4.1 – Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments.
CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.SOC2 requirements mention penetration testing as a criteria for compliance, as well as ongoing detection and monitoring of procedures to discover new vulnerabilities (with the addition of new infrastructure, for example).
GDPR security testing requirementsArticle 32 – Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.While the GDPR requirement pertaining to security testing represents only a very small portion of the regulation, it allows organizations to not only become GDPR compliant, but also to prevent potential cybersecurity incidents and ultimately avoid large fines that can reach up to 20 million euros if a breach occurs.