Penetration testing can protect the performance of your application!

I visited one of our customers recently to learn about his experience with our service. I understand that one of his main motives is to comply with GDPR requirements. Even though, I asked him, “why did you decide to do penetration testing for your application?” His answer was totally unexpected! Penetration testing helps you to uncover the vulnerabilities in your applications/systems. Then you put a mitigation plan and fix them before hackers miss use those gaps. So, penetration testing is a proactive service to prevent you from serious consequences.

What could be the cost?
One of those serious consequences is data breach which affects companies financially. According to IBM study, the average cost for each lost or stolen record containing sensitive and confidential information costs $141 and the average size of the data breaches in their research is more than 24,000 records. So, a data breach can cost your company easily $3,4m.

Penetration Testing and GDPR
In their efforts to protect the privacy of their citizens and residencies, the EU put GDPR in action on 25th of May 2018. One of the GDPR Articles, specifically 32, request companies and organizations to have a regular testing of the information security.

I assumed therefore many companies started to ask and look for penetration testing services. However, the answer I got from my customer was different.

Data encryption will decrease the application performance by 30%

He told me, yes, we need to do regular testing for security reasons but also GDPR recommends encrypting the customer data. We did many trails and we found that the performance of the application will decrease by 30%, which is a killing point for our service, and it will not be accepted by our customers.

We worked on different resolution and we consulted our lawyers. Then, we reached a proper conclusion. We will keep the data non-encrypted and at the same time, we work very hard to protect our applications and keep running the regular security/penetration testing. This was a new point of view for me, and I decided to share it with you. And I would like to leverage the opportunity to ask. What about you? Why do you do penetration testing for your applications?