As threats become much more pervasive and dynamic, organizations are adopting proactive security measures such as penetration testing to build out a comprehensive security strategy.
Pentesting validates that software and hardware controls have been implemented by using the same tools and techniques an attacker would use to uncover vulnerabilities. This way, organizations can identify gaps in their overall information security program and measure the effectiveness of their patch management and incident response programs.
However, modern DevSecOps teams need more speed and flexibility than what traditional pentesting engagements can deliver. Incremental pentesting programs can help identify and address security gaps more frequently because they focus on smaller segments at a time.
With the needs of DevSecOps teams in mind, penetrating testing-as-a-service (PTaaS) is seeing a higher profile.
Development Teams Align Pentesting with DevSecOps
PTaaS company Cobalt announced its new Agile Pentesting service to help security teams align penetration testing with the continuous integration and continuous delivery (CI/CD) pipeline. The smaller pentest engagements can help extend the reach of security teams and accelerate secure build-to-release timelines.
Andrew Obadiaru, Cobalt’s CISO, says that end users of this offering are security and development teams who are looking to align pentesting more closely to their DevSecOps processes.
“These are teams who are pentesting beyond compliance obligations and conducting more targeted tests that focus on a specific area of an asset, or a specific vulnerability across an asset,” he says.
The Agile Pentesting offering allows organizations to focus on a specific area of an asset, such as a new feature or product release, specific vulnerability, or incremental testing.
“Focused pentesting allows organizations and IT teams to quickly determine potential vulnerabilities or security flaws in a specific product or feature prior to deploying into production,” Obadiaru adds.
Incremental Pentesting a Risk-Based Effort
John Steven, CTO at ThreatModeler, an automated threat modeling provider, says part of the prioritization that occurs with incremental penetration testing should be the alignment of test scope with new features and release promises.
“This creates natural alignment between delivery and security priority and focus,” he explains. “Additionally, there’s a quick benefit: defect studies indicate that where code churns, bugs — and vulnerability — are more likely to be found.”
Steven adds that “the dirty secret” is that all penetration testing is incremental.
“Exhaustively testing even a small system would take months,” he says. “Taking an incremental posture on penetration first acknowledges that the effort is ‘risk-based’, prioritizing that which is most impactful and likely.”
Second, it allows the activity to fit more closely within the cadence of delivery, so that its results can be acted on with a minimum (if any) exposure time of vulnerable systems in production.
“Confining penetration testing efforts to those things threat modeling indicate are high impact and potentially likely for a worrying population of adversaries is perhaps the most key optimization organizations can make,” he adds.
Dave Gerry, chief operating officer at Bugcrowd, a crowdsourced cybersecurity specialist, says a long-standing challenge with pentesting has been the “point-in-time” nature of the tests.
“At some pre-defined period of time, the test is completed against the then-current version of the application and a report is delivered,” he says.
The challenge is that development changes significantly over the course of years, and often by the time a pentest is completed and the report is delivered, the information is already out of date due to application changes.
“By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround,” Gerry explains.
This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure within scope.
Automation Aids Continuous Testing
Jason Rowland, vice president of penetration testing and cloud services at Coalfire, a provider of cybersecurity advisory services, says that continuous testing, given resource constraints faced by the infosec community, will require an approach that maximizes use of testers and offloads work that can be automated.
“Utilizing platforms to perform attack surface discovery and vulnerability identification, as an example, will become prevalent as we unlock the true value of offensive security,” Rowland says.
As an industry impaired by the sheer volume of vulnerabilities, security alerts, and frameworks, prioritizing the behaviors of the adversary provides clarity and facilitates better decisions on the use of finite security resources, he says.
“This model is being adopted and will continue to gain prevalence as organizations focus on activities that deliver the specific outcome of minimizing the impact of security incidents,” Rowland notes.
Obadiaru adds that while pentesting is a modernized approach to enhanced security, this process and method will continue to evolve — especially as cyberattacks become more commonplace and complex.
“Security tools will need to remain strong and keep up with heightened demands,” he says. “It’s likely we’ll also see increased use of pentesting in non-traditional security areas, such as mergers and acquisitions, assurance, and regulatory compliance.”
PTaaS Offers Real-Time Insights
Gerry notes that in the past few years, there’s been an increased shift from traditional pentesting to PTaaS.
“Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary evil to maintain compliance with internal or external requirements,” he says.
He explains by leveraging a PTaaS offering, security teams gain the ability to view results in real time via a SaaS platform, integrate pentesting into their development and security product suite, and institute ongoing testing across retests, focused-scope testing, and new product capability testing.
“Every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced,” Gerry says. “Security organizations must maintain the ability to gain real-time visibility into the current posture — both from a risk governance perspective and from a compliance perspective.”
Rowland says as organizations begin to prioritize defense and detection capability investments based on the tactics, techniques, and procedures of the actors most likely to target their organization, the role of offensive security has become increasingly integrated and central to the success of the security strategy.
“Since the tactics of the adversary and attacks surface are dynamic, offensive security must continuously validate that the program is keeping pace,” he explains. “Regular testing is necessary to drive and validate adjustments to defenses based new intelligence, architectural changes, or the introduction of new assets.”
Steven believes that many people think of penetration testing in an “attacker-centric” way, forgetting that penetration testing is a highly technology-specific pursuit when it comes to software and platforms as well.
“We found that specialized teams were necessary for ATMs, automotive, healthcare, Web, and mobile,” he says. “Still others handled mainframe and OS-level penetration testing.”
He says as applications move to the cloud, penetration testing and the teams servicing that activity must adapt.
“The cloud isn’t a single monolith — it’s several major providers, each with tens or hundreds of specific APIs and control sets,” Steven adds. “Penetration testers will have to use tools to discover sprawling cloud-based assets, no longer confined to a datacenter or IP range, and then quickly become experts in the tech stacks used by any in-play orchestration platforms, control planes, and providers.”