Cloud Apps Make the Case for Pen-Testing-as-a-Service

With enterprise applications defaulting to cloud infrastructure, application security testing increasingly resembles penetration testing across an distributed attack surface area of the application — a similarity that is opening new markets for penetration-testing-as-a-service (PTaaS). 

Rather than focusing on the edges of the network, PTaaS providers are focusing on cloud applications, which typically have three vectors of vulnerability: the application itself, the interconnections between applications, and the way the application changes over time. Accelerated development and events such as mergers and acquisitions tend to expand the attack surface area along all three vectors, but pen testing aims to keep pace with the changes.

Organizations need to lock down their cloud applications because attackers are already looking for remotely exploitable security flaws; the average firm has 11,000 exploitable security exposures in any given month, says Kelly Albrink, associate vice president of consulting at Bishop Fox, an offensive security firm.

"Organizations are going up against attackers with unlimited time [and] large amounts of resources, and they're going for the lowest-hanging fruit first," she says. "As these applications are getting more complex, and as the integrations are getting more complex, that just expands the opportunities for attackers and ways that they can get into an app or then, ultimately, any of the systems it's connected to."

Today Bishop Fox announced its Cosmos Application Penetration Testing (CAPT) service that combines pen testing with on-demand assessment and analysis services. 

Cloud deployment has quickly become the standard for enterprise applications. By 2025, 95% of new digital workloads will be deployed to cloud-native platforms, up from 30% in 2021, according to business intelligence firm Gartner. Many of those workloads — up to 70% by 2025 — will not be traditional applications but low-code or no-code applications deployed through cloud services, Gartner stated.

The App, the Cloud, and the Configuration

The cloud and the applications deployed to cloud infrastructure are so intertwined that pen testers need to account for not only the security of the app, but the cloud platform and the application's cloud configuration, says Caroline Wong, chief strategy officer at Cobalt.io, a PTaaS firm.

"Access control and configuration are fundamentally different between network and cloud, and these characteristics must be tested intentionally," Wong says. "Cloud adoption leads to rapid increases in both the number of applications in a company's software portfolio, as well as the frequency of changes for each of those applications."

The largest share of security issues discovered during penetration tests — nearly 40% — are server security misconfigurations, such as a lack of security headers and insecure SSL and TLS cipher libraries, according to Cobalt's "The State of Pentesting 2023" report. 

From a vulnerability standpoint, Cobalt found that stored cross-site scripting (XSS), outdated software versions, and insecure director object references (IDOR) are the most common vulnerabilities. Nearly all (94%) of the stored XSS vulnerabilities and 85% of IDOR vulnerabilities are medium severity or higher.

Yet over time, PTaaS customers see fewer medium, high, and critical flaws as a share of all the discovered issues, as the most serious issues are detected and fixed, the report stated.

Ramp Up Pen Testing With Need

The line between dynamic application security testing (DAST) and PTaaS has essentially disappeared as applications are deployed to the cloud. In many ways, the definition of an application has changed, says Bishop Fox's Albrink. One of the firm's clients asked the firm to test 30 applications, but when they walked through the scope of the pen test, they determined it was a single application with 30 different microservices, each managed by a different team in the company. 

"We really recommend typically to do a holistic approach, so everything that an end user would be able to see and interact with is part of the app," she says. "And that might include API endpoints, middleware, a firewall, [and] dozens of other systems on the back end, but they're all being presented through kind of one user experience."

Time is the final axis along which applications change. Security debt is very real and, especially in an agile development group, frequent security and penetration is necessary, says Cobalt's Wong. 

"For companies pushing code weekly or even daily, it's likely not enough to keep up with the speed of change and likelihood of introducing new security vulnerabilities," she says. "Every organization is going to have a limited budget, and we see these changes resulting in a shift of how security spend is allocated across offensive and defensive security controls."