Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:40 PM
Connect Directly

Organizations Conduct App Penetration Tests More Frequently - and Broadly

Compliance is no longer the primary motivator. AppSec is, Cobalt.io says.

In an encouraging sign for application security, enterprise organizations are conducting penetration tests more frequently and more broadly than before, data from a new Cobalt.io study suggests.

Unlike in the past where regulatory and other compliance mandates used to be the primary driver for these tests, organizations are now conducting them more to proactively detect and address security issues in their software, the study found.

Cobalt.io, which provides application penetration testing-as-a-service (PTaaS) to large and midsize organizations, recently commissioned a third-party firm to interview five of its customers. Among them were a global enterprise software provider, a publicly held global cloud communications provider, and a software-as-a-service (SaaS) provider. Company sizes ranged from those with thousands of employees to midsize firms with hundreds of employees.

The data showed that application security has become a top priority at these companies, according to Cobalt.io. All of the companies reported testing 100% of their applications at least once on an annual basis. Three of the companies reported testing their business-critical applications between two and four times a year. Cobalt.io found the organizations are all testing not just their Web applications but also microservices, associated APIs, and backend enterprise applications.

The maturing use of DevOps practices and microservices architectures appeared to be driving some of these changes, especially with regard to tests on APIs and nonbusiness-critical apps.

In a similar study that Cobalt.io conducted in 2017, the participating organizations had reported conducting pen tests only on their most critical applications, and that, too, just once a year. When apps were tested, it was usually just Web apps, though a handful reported testing APIs as well.

Organizations in Cobalt.io's 2017 study had described their pen-testing exercises as being driven by compliance requirements and conducted and managed largely by the information security organization. In contrast, organizations in this year's study said pen tests were a shared responsibility between the security and development teams.

Caroline Wong, chief strategy officer at Cobalt.io, points to two broad takeaways from the latest study. "First, application security is a top priority for companies," Wong says. "Second, enterprise organizations are expanding the scope and frequency of their pen-testing activities."

According to Wong, the organizations in the Cobalt.io study were typically testing internally developed software — including new features and updates — during the QA stage and in production when an application is up and running.

The participants in Cobalt.io's study were all customers of the company's hosted penetration-testing service. But their views appeared to reflect a broader trend.

Beyond Pen Tests
Andrew Hay, chief operating officer at pen-testing firm Lares, says that while compliance and mitigation of audit findings are still major drivers for penetration testing, broader concerns over app security have become important as well.

"We're seeing a lot of organizations move beyond simple internal and external penetration testing to more full-scope red teaming engagements that include physical, technological, and social aspects," Hay says.

From using pen tests as a sort of gold standard for app security, many organizations are adding in targeted phishing, social engineering, application pen tests, and physical-office entry exercises to obtain a full picture of how an attacker might infiltrate them.

"We're also seeing an increase in the number of purple-teaming engagements where the organizations want to learn from our red team to detect future attacks and tune their monitoring and incident response capabilities," Hay says.

Many organizations also have increased the frequency of tests to keep pace with infrastructure changes and faster app development times, or to ensure that no new issues are being introduced into the environment when they acquire another firm, Hay says.

Aaron Shilts, president and chief operating officer at security testing firm NetSPI, says faster software development life cycles and inefficiencies in manual deep-dive penetration testing programs are driving interest in PTaaS.

Organizations are overloaded with traditional pen-test PDF deliverables, many of which can contain a mountain of findings, he says. This has made it difficult for organizations to prioritize, correlate, and drive remediation activities.

"PTaaS is essentially an enriched delivery model, making it easier for customers to consume testing services, from initial scoping to reporting," he says. "It ultimately helps to accelerate the remediation process."

Like the others, Shilts says that many of NetSPI's customers are working to test more and more of their attack surface. Some of these environments can be incredibly large and complex, so a one-size-fits-all approach to testing does not work. 

"A PTaaS model allows enterprises to conduct exhaustive, deep-dive manual testing for certain applications and high level continuous tests in other areas," he says.

Cobalt.io's Wong says one benefit customers have reported is that a PTaaS platform allows the results from pen tests to be shared in real time, enabling quicker remediation of discovered vulnerabilities.

"In a DevOps environment where you do multiple code releases and hundreds of builds a day, efficiency is key," she says. "PtaaS provides continuous interaction between the pen testers and security and engineering teams," which can result in better operational efficiencies.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/30/2020 | 10:42:23 AM
I'm excited to see how PTaaS makes a difference in the way Penetration Testing is consumed by organizations going forward and as organizations evolve their security practices.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
PUBLISHED: 2021-05-14
Cleartext transmission of sensitive information via Moxa Service in NPort IA5000A series serial devices. Successfully exploiting the vulnerability could enable attackers to read authentication data, device configuration, and other sensitive data transmitted over Moxa Service.
PUBLISHED: 2021-05-14
In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS.
PUBLISHED: 2021-05-14
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers insta...
PUBLISHED: 2021-05-14
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, wh...