Organizations Conduct App Penetration Tests More Frequently - and Broadly

Compliance is no longer the primary motivator. AppSec is, says.

In an encouraging sign for application security, enterprise organizations are conducting penetration tests more frequently and more broadly than before, data from a new study suggests.

Unlike in the past where regulatory and other compliance mandates used to be the primary driver for these tests, organizations are now conducting them more to proactively detect and address security issues in their software, the study found., which provides application penetration testing-as-a-service (PTaaS) to large and midsize organizations, recently commissioned a third-party firm to interview five of its customers. Among them were a global enterprise software provider, a publicly held global cloud communications provider, and a software-as-a-service (SaaS) provider. Company sizes ranged from those with thousands of employees to midsize firms with hundreds of employees.

The data showed that application security has become a top priority at these companies, according to All of the companies reported testing 100% of their applications at least once on an annual basis. Three of the companies reported testing their business-critical applications between two and four times a year. found the organizations are all testing not just their Web applications but also microservices, associated APIs, and backend enterprise applications.

The maturing use of DevOps practices and microservices architectures appeared to be driving some of these changes, especially with regard to tests on APIs and nonbusiness-critical apps.

In a similar study that conducted in 2017, the participating organizations had reported conducting pen tests only on their most critical applications, and that, too, just once a year. When apps were tested, it was usually just Web apps, though a handful reported testing APIs as well.

Organizations in's 2017 study had described their pen-testing exercises as being driven by compliance requirements and conducted and managed largely by the information security organization. In contrast, organizations in this year's study said pen tests were a shared responsibility between the security and development teams.

Caroline Wong, chief strategy officer at, points to two broad takeaways from the latest study. "First, application security is a top priority for companies," Wong says. "Second, enterprise organizations are expanding the scope and frequency of their pen-testing activities."

According to Wong, the organizations in the study were typically testing internally developed software — including new features and updates — during the QA stage and in production when an application is up and running.

The participants in's study were all customers of the company's hosted penetration-testing service. But their views appeared to reflect a broader trend.

Beyond Pen Tests
Andrew Hay, chief operating officer at pen-testing firm Lares, says that while compliance and mitigation of audit findings are still major drivers for penetration testing, broader concerns over app security have become important as well.

"We're seeing a lot of organizations move beyond simple internal and external penetration testing to more full-scope red teaming engagements that include physical, technological, and social aspects," Hay says.

From using pen tests as a sort of gold standard for app security, many organizations are adding in targeted phishing, social engineering, application pen tests, and physical-office entry exercises to obtain a full picture of how an attacker might infiltrate them.

"We're also seeing an increase in the number of purple-teaming engagements where the organizations want to learn from our red team to detect future attacks and tune their monitoring and incident response capabilities," Hay says.

Many organizations also have increased the frequency of tests to keep pace with infrastructure changes and faster app development times, or to ensure that no new issues are being introduced into the environment when they acquire another firm, Hay says.

Aaron Shilts, president and chief operating officer at security testing firm NetSPI, says faster software development life cycles and inefficiencies in manual deep-dive penetration testing programs are driving interest in PTaaS.

Organizations are overloaded with traditional pen-test PDF deliverables, many of which can contain a mountain of findings, he says. This has made it difficult for organizations to prioritize, correlate, and drive remediation activities.

"PTaaS is essentially an enriched delivery model, making it easier for customers to consume testing services, from initial scoping to reporting," he says. "It ultimately helps to accelerate the remediation process."

Like the others, Shilts says that many of NetSPI's customers are working to test more and more of their attack surface. Some of these environments can be incredibly large and complex, so a one-size-fits-all approach to testing does not work. 

"A PTaaS model allows enterprises to conduct exhaustive, deep-dive manual testing for certain applications and high level continuous tests in other areas," he says.'s Wong says one benefit customers have reported is that a PTaaS platform allows the results from pen tests to be shared in real time, enabling quicker remediation of discovered vulnerabilities.

"In a DevOps environment where you do multiple code releases and hundreds of builds a day, efficiency is key," she says. "PtaaS provides continuous interaction between the pen testers and security and engineering teams," which can result in better operational efficiencies.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.