Four Ways Pentesting is Shifting to an “Always On” Approach
No industry is safe from a cyberattack and last year’s long list of breach victims is testament to that. Within the first six months of 2019, 3,800 breaches were reported, exposing 4.1 billion records. The impact of a breach continues to grow, and the wide-ranging threat landscape continues to shift – thus, our network security testing strategies should evolve in tandem.
Penetration testing has been around for decades and has remained at the foundation of vulnerability testing and management programs. But as the modern enterprise continues to evolve, and attack surfaces become much more complex, pentesting has remained relatively unchanged. Following a pentest, security and IT teams are typically left with an immense amount of vulnerability data that ends up in PDFs with limited context, making it challenging to process and collaborate with development teams for vulnerability remediation. In addition, many organizations struggle with the breadth of their security testing coverage and lack the time or financial resources to adequately pentest all of the applications and systems in their environment – and they can’t remediate all the vulnerabilities from each test. According to Gartner, once a company discloses a vulnerability and releases a patch, it takes 15 days before an exploit appears in the wild.
To ensure critical assets are secure and their entire attack surface has some level of pentesting coverage, today’s modern enterprise requires a more continuous and comprehensive penetration testing process.
Enter Penetration Testing as a Service, or PTaaS: a hybrid approach to security testing that combines manual and automated ethical hacking attempts with 24/7 scanning, consultation and streamlined communication and reporting delivered through a single platform. By delivering pentesting “as a service,” organizations receive a broader, more thorough vulnerability audit year-round instead of relying on point-in-time pentests, which are typically executed just once a year.
Point-in-Time Pentesting Versus PTaaS
While an important starting point, point-in-time penetration testing has its limitations. Once a test has been completed, how can one be sure that no new vulnerabilities arise during the remaining 364 days of the year? To better understand the impact of PTaaS, here are four core differences between point-in-time penetration testing and PTaaS. PTaaS gives organizations:
- Visibility and control. Through PTaaS, organizations are put in control of the pentest. Security teams gain the ability to request and scope new engagements, see the progress and status of all open engagements, easily parse the vulnerability trends, and work to understand and verify the effectiveness of remediations, all within a single online platform.
- Paths to quicker remediation. The penetration testing reports, often static PDFs, created after a standard pentest leave much to be desired when it comes to vulnerability remediation. On average, it takes 67 days to remediate critical vulnerabilities. PTaaS platforms allow findings to be actionable as they can be sorted, searched, filtered, and audited. As the vulnerability or exploit evolves over time, the data related to it will be updated, not remain unchanged in a document. Additionally, PTaaS provides development teams with the most up-to-date and relevant information for remediation, with assistance and consultation from the team of pentesters who found the vulnerability.
- More security testing possibilities. Due to both the cost savings of automation and the efficiency provided for remediating vulnerabilities, companies are able to do more with their budgets and internal resources. The faster vulnerabilities are found and remediated, the quicker the company can move on to protect itself from the next vulnerability.
- Prioritized, actionable results. PTaaS platforms, like NetSPI’s Resolve will aggregate and correlate the findings, eliminating manual administrative tasks while providing a result set that drives the right set of actions in an efficient manner for all organizations. According to Gartner, one of the most common ways to fail at vulnerability management is by sending a report with thousands of vulnerabilities for the operations team to fix. Successful vulnerability management programs leverage advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.
What’s fueling the desire for an “as a Service” model for penetration testing?
Businesses, no matter the industry, are constantly changing and are on the lookout for technology that can scale with them. Because of the constant flux that businesses remain in today, whether from engaging in a merger or acquisition or integrating a new software program, there is a desire to uncover the most efficient way to maintain an always-on vulnerability testing strategy, while also ensuring capacity to remediate. PTaaS is scalable, so that organizations of all sizes and maturity can use it to maintain a small part of their security testing program – or the entire program.
Further, heavily regulated industries – such as financial services, healthcare, and government – benefit greatly from an “as a Service” model, given the level of sensitive data stored and pressures of maintaining compliance. With PTaaS, organizations can consume their data, on-demand, in many formats for their various regulatory bodies and gain the visibility to know what is happening in their security testing program, and what actions need to be taken.
PTaaS is the new standard for vulnerability testing and remediation as security teams recognize that annual testing does not enable a proactive security strategy. Pentesting engagements are no longer a once-a-year tool for compliance and have evolved into a critical part of day-to-day security efforts.