You can't defend against what you can't see. Like any other business process, decisions about security hinge on the quality of your data and the scope of your influence. Penetration testing provides a vehicle for simulating realistic attacks in order to gather data about your security posture and identify practical improvements in technology or process to close identified gaps.

The challenge is that not all threats are equal, and organizations have their own unique sphere of influence. As a provider of a product or service, an organization may be able to implement low-level architectural changes to its design or solution. A consumer of a product or service may be able to enforce some baseline requirements as part of a vendor management program, but even the most important customer is often kept out of how those requirements are addressed in the design.

It's rare for an organization to be just a provider or just a consumer. Providers buy or integrate components from upstream suppliers. Consumers buy a product or service because it has business value in enabling their core mission; if it doesn't help the company deliver, then why introduce it in the first place?

An organization can gather data about both products and dependencies through mindful scoping of penetration tests. The scope of a penetration test is the set of assets or processes that will be subjected to real-world attacks.

A system penetration test is a limited scope engagement that takes an integrated set of components and examines each individual node as well as interactions between nodes. A provider of a product or service would be well advised to conduct a full system penetration test before major product releases and periodically while the product is actively fielded to help identify vulnerabilities before they are exploited in the wild.

Consumers have a vested interest in managing their own security posture. An enterprise penetration test is a wide-scope engagement that examines the attack surface of an entire organization. Enterprise pentesting provides a higher-level view of the effectiveness of technology and process controls that protect mission critical functions: accounting, HR, operations, customer service, and more. Enterprise pentesting discovers how systems of systems interact to get things done and simulates attacks that take advantage of that complexity.

Yet there are times when producers would benefit from enterprise penetration testing and consumers would benefit from system penetration testing. Producers have their own mission critical functions that need to be protected; some of those functions may be dedicated to supporting the delivery of products or services to customers. For example, if Company A offers a product that reaches out to a web service to check for updates, Company A needs to make sure that an attacker can't compromise the code repository or CI/CD pipeline and insert a backdoor that could hurt its customers when the next update is installed.

Likewise Company B, a utility company with a large fleet of vehicles, may decide to implement a telematics solution to gather data that streamlines maintenance and enforces driver safety policies. It would be a good idea for Company B to take a prototype vehicle with the telematics system fully integrated and subject it to a system penetration test before proceeding with the rollout for the full fleet. If vulnerabilities are identified in the integration, Company B can make changes to it's implementation of the system. If vulnerabilities are identified in components of the telematics systems itself, Company B can evaluate whether layered defenses can cover the gaps or even decide to choose another vendor for security reasons.

Whatever your place in the supply chain, Logic Hazard Labs can help you visualize your risk and help you manage your sphere of influence.