Repeating a pentest: At least once a year recommended
Giving an honest recommendation is difficult for us. The fact is - IT security is a process. The more frequently you test your own systems, the more secure they become. However, the absolute minimum should be once a year - this is what many companies do based on our experience and also prefer for cost reasons.
Biannual or even quarterly tests are indeed advisable, especially if a digital system has undergone significant changes. This is the case, for example, when an app is relaunched with new functions and built on a new programming language. Additionally, the release of a new API version can be a good reason to repeat a penetration test.
German Federal Office for Information Security:
"While thorough execution cannot completely rule out a successful attack, it significantly reduces the likelihood of one. However, the effectiveness of a penetration test can diminish relatively quickly due to advancements in the IT field. The higher the protection needs of the systems, the more frequently penetration tests should be conducted to keep the likelihood of a successful attack at an acceptable level for the company."
Source: Implementation concept for penetration tests by the BSI
IT is dynamic - your penetration testing strategy should be as well
From our experience, we know that IT systems—whether a website, a mobile application, or a network in general—are never static. They change at varying frequencies—sometimes intentionally, sometimes unintentionally. Careless employees can quickly create security vulnerabilities where none were found in the last network penetration test. An unchecked commit in your version control software can open a weakness that a hacker could exploit.
Looking at current events, it becomes clear that you can never test your company's IT security often enough.
Let's work together to determine what makes the most sense in your case.
Reality check: Penetration tests are expensive and complex
In theory, you need to constantly test something, but that's not realistic. It's much more worthwhile to consider what is truly important, set priorities, and replace annual or biannual manual penetration tests with services like "Penetration Testing as a Service" and/or "Bug Bounty Programs." This way, the already limited IT security budget can be used more efficiently. DSecured is a pentest provider that can help you with this.
Penetration Testing as a Service as an alternative
DSecured offers Penetration Test as a Service as a valuable complement to the regular penetration tests that are already necessary. A fixed time budget is established from which the client can continuously draw to promptly test small changes. This involves close collaboration with a strong focus on the testing process. Typically, there is no complex reporting; instead, the tester communicates their findings and the associated risks through a designated communication channel.
Set up your own Bug Bounty program
A Bug Bounty program has also proven to be highly effective. It's important to clearly define the value of different types of security vulnerabilities. Large corporations often use this tool to have ethical hackers continuously search for security gaps. Most DSecured employees work in this field and look for vulnerabilities in corporate networks in their spare time. DSecured assists with the planning and preparation of such a Bug Bounty program!
Vulnerability Disclosure Policy
Specifically in Germany, VDP (Vulnerability Disclosure Policy) is still relatively rare. This policy allows ethical hackers to report potential findings securely and without legal consequences to companies. Compared to full-fledged Bug Bounty programs, the engagement here is lower. However, it is worthwhile to consider such a policy.
IT security is a process - there is no single correct answer.
As mentioned at the beginning, it is difficult for us to give a clear recommendation. IT security is a process, and this means that the frequency with which penetration tests should be repeated depends on many factors. Annually is generally cited as the absolute minimum, but even here we would say that a router with no changes doesn't necessarily need to be tested annually. Legal requirements (PCI DSS, ISO 27001), deployment strategies, relaunches, the need for protection, and many other aspects are relevant for answering this question. Just contact us, and we can give our opinion on your specific case.
Get a pentest offer