Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:40 PM
Connect Directly

Organizations Conduct App Penetration Tests More Frequently - and Broadly

Compliance is no longer the primary motivator. AppSec is, Cobalt.io says.

In an encouraging sign for application security, enterprise organizations are conducting penetration tests more frequently and more broadly than before, data from a new Cobalt.io study suggests.

Unlike in the past where regulatory and other compliance mandates used to be the primary driver for these tests, organizations are now conducting them more to proactively detect and address security issues in their software, the study found.

Cobalt.io, which provides application penetration testing-as-a-service (PTaaS) to large and midsize organizations, recently commissioned a third-party firm to interview five of its customers. Among them were a global enterprise software provider, a publicly held global cloud communications provider, and a software-as-a-service (SaaS) provider. Company sizes ranged from those with thousands of employees to midsize firms with hundreds of employees.

The data showed that application security has become a top priority at these companies, according to Cobalt.io. All of the companies reported testing 100% of their applications at least once on an annual basis. Three of the companies reported testing their business-critical applications between two and four times a year. Cobalt.io found the organizations are all testing not just their Web applications but also microservices, associated APIs, and backend enterprise applications.

The maturing use of DevOps practices and microservices architectures appeared to be driving some of these changes, especially with regard to tests on APIs and nonbusiness-critical apps.

In a similar study that Cobalt.io conducted in 2017, the participating organizations had reported conducting pen tests only on their most critical applications, and that, too, just once a year. When apps were tested, it was usually just Web apps, though a handful reported testing APIs as well.

Organizations in Cobalt.io's 2017 study had described their pen-testing exercises as being driven by compliance requirements and conducted and managed largely by the information security organization. In contrast, organizations in this year's study said pen tests were a shared responsibility between the security and development teams.

Caroline Wong, chief strategy officer at Cobalt.io, points to two broad takeaways from the latest study. "First, application security is a top priority for companies," Wong says. "Second, enterprise organizations are expanding the scope and frequency of their pen-testing activities."

According to Wong, the organizations in the Cobalt.io study were typically testing internally developed software — including new features and updates — during the QA stage and in production when an application is up and running.

The participants in Cobalt.io's study were all customers of the company's hosted penetration-testing service. But their views appeared to reflect a broader trend.

Beyond Pen Tests
Andrew Hay, chief operating officer at pen-testing firm Lares, says that while compliance and mitigation of audit findings are still major drivers for penetration testing, broader concerns over app security have become important as well.

"We're seeing a lot of organizations move beyond simple internal and external penetration testing to more full-scope red teaming engagements that include physical, technological, and social aspects," Hay says.

From using pen tests as a sort of gold standard for app security, many organizations are adding in targeted phishing, social engineering, application pen tests, and physical-office entry exercises to obtain a full picture of how an attacker might infiltrate them.

"We're also seeing an increase in the number of purple-teaming engagements where the organizations want to learn from our red team to detect future attacks and tune their monitoring and incident response capabilities," Hay says.

Many organizations also have increased the frequency of tests to keep pace with infrastructure changes and faster app development times, or to ensure that no new issues are being introduced into the environment when they acquire another firm, Hay says.

Aaron Shilts, president and chief operating officer at security testing firm NetSPI, says faster software development life cycles and inefficiencies in manual deep-dive penetration testing programs are driving interest in PTaaS.

Organizations are overloaded with traditional pen-test PDF deliverables, many of which can contain a mountain of findings, he says. This has made it difficult for organizations to prioritize, correlate, and drive remediation activities.

"PTaaS is essentially an enriched delivery model, making it easier for customers to consume testing services, from initial scoping to reporting," he says. "It ultimately helps to accelerate the remediation process."

Like the others, Shilts says that many of NetSPI's customers are working to test more and more of their attack surface. Some of these environments can be incredibly large and complex, so a one-size-fits-all approach to testing does not work. 

"A PTaaS model allows enterprises to conduct exhaustive, deep-dive manual testing for certain applications and high level continuous tests in other areas," he says.

Cobalt.io's Wong says one benefit customers have reported is that a PTaaS platform allows the results from pen tests to be shared in real time, enabling quicker remediation of discovered vulnerabilities.

"In a DevOps environment where you do multiple code releases and hundreds of builds a day, efficiency is key," she says. "PtaaS provides continuous interaction between the pen testers and security and engineering teams," which can result in better operational efficiencies.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/30/2020 | 10:42:23 AM
I'm excited to see how PTaaS makes a difference in the way Penetration Testing is consumed by organizations going forward and as organizations evolve their security practices.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...