Benefits of using an external Red Team-
- Identifying vulnerabilities in applications and systems
- Having a fresh set of eyes to look at the software and systems
- Understanding the impact of a security breach
- Discovering weakness in the development and testing processes
- Testing the incident response capabilities
- Demonstrate security controls, justify security spending
Risks of using an external Red Team-
- Opening production environments to hacking – the network, the architecture, the software, the security
- An obligation to give an “all-clear” to the team – the agreement contract needs to be very carefully worded
- Possible loss of trade secrets, letting in possible competitors into the in-house system – when a company lets in outside – even those under a legal contract – the company is opening itself up to risks
- Costs of hiring the team can outweigh the losses due to a hack
- Stepping on toes of developers and testers – it is a rare in-house development and testing team which will welcome the idea of an external team to break their systems. Bruised egos, finger-pointing, fear of being fired, feeling vulnerable and replaceable are just some of the human elements leading to the risk of fall in productivity and disgruntled employee syndrome.
Three questions to help decide on hiring an external Red Team are-
- Budget – Does the company have the money to invest in an external team?
- Risk assessment – Does the loss due to a possible breach or hack, out-weigh the risks involved in hiring an external team?
- Criticality of the software – Is the software of critical nature – dealing with life-giving medical equipment, financial applications, or sensitive data which deserves A-1 security?