Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/13/2020
04:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Organizations Conduct App Penetration Tests More Frequently - and Broadly

Compliance is no longer the primary motivator. AppSec is, Cobalt.io says.

In an encouraging sign for application security, enterprise organizations are conducting penetration tests more frequently and more broadly than before, data from a new Cobalt.io study suggests.

Unlike in the past where regulatory and other compliance mandates used to be the primary driver for these tests, organizations are now conducting them more to proactively detect and address security issues in their software, the study found.

Cobalt.io, which provides application penetration testing-as-a-service (PTaaS) to large and midsize organizations, recently commissioned a third-party firm to interview five of its customers. Among them were a global enterprise software provider, a publicly held global cloud communications provider, and a software-as-a-service (SaaS) provider. Company sizes ranged from those with thousands of employees to midsize firms with hundreds of employees.

The data showed that application security has become a top priority at these companies, according to Cobalt.io. All of the companies reported testing 100% of their applications at least once on an annual basis. Three of the companies reported testing their business-critical applications between two and four times a year. Cobalt.io found the organizations are all testing not just their Web applications but also microservices, associated APIs, and backend enterprise applications.

The maturing use of DevOps practices and microservices architectures appeared to be driving some of these changes, especially with regard to tests on APIs and nonbusiness-critical apps.

In a similar study that Cobalt.io conducted in 2017, the participating organizations had reported conducting pen tests only on their most critical applications, and that, too, just once a year. When apps were tested, it was usually just Web apps, though a handful reported testing APIs as well.

Organizations in Cobalt.io's 2017 study had described their pen-testing exercises as being driven by compliance requirements and conducted and managed largely by the information security organization. In contrast, organizations in this year's study said pen tests were a shared responsibility between the security and development teams.

Caroline Wong, chief strategy officer at Cobalt.io, points to two broad takeaways from the latest study. "First, application security is a top priority for companies," Wong says. "Second, enterprise organizations are expanding the scope and frequency of their pen-testing activities."

According to Wong, the organizations in the Cobalt.io study were typically testing internally developed software — including new features and updates — during the QA stage and in production when an application is up and running.

The participants in Cobalt.io's study were all customers of the company's hosted penetration-testing service. But their views appeared to reflect a broader trend.

Beyond Pen Tests
Andrew Hay, chief operating officer at pen-testing firm Lares, says that while compliance and mitigation of audit findings are still major drivers for penetration testing, broader concerns over app security have become important as well.

"We're seeing a lot of organizations move beyond simple internal and external penetration testing to more full-scope red teaming engagements that include physical, technological, and social aspects," Hay says.

From using pen tests as a sort of gold standard for app security, many organizations are adding in targeted phishing, social engineering, application pen tests, and physical-office entry exercises to obtain a full picture of how an attacker might infiltrate them.

"We're also seeing an increase in the number of purple-teaming engagements where the organizations want to learn from our red team to detect future attacks and tune their monitoring and incident response capabilities," Hay says.

Many organizations also have increased the frequency of tests to keep pace with infrastructure changes and faster app development times, or to ensure that no new issues are being introduced into the environment when they acquire another firm, Hay says.

Aaron Shilts, president and chief operating officer at security testing firm NetSPI, says faster software development life cycles and inefficiencies in manual deep-dive penetration testing programs are driving interest in PTaaS.

Organizations are overloaded with traditional pen-test PDF deliverables, many of which can contain a mountain of findings, he says. This has made it difficult for organizations to prioritize, correlate, and drive remediation activities.

"PTaaS is essentially an enriched delivery model, making it easier for customers to consume testing services, from initial scoping to reporting," he says. "It ultimately helps to accelerate the remediation process."

Like the others, Shilts says that many of NetSPI's customers are working to test more and more of their attack surface. Some of these environments can be incredibly large and complex, so a one-size-fits-all approach to testing does not work. 

"A PTaaS model allows enterprises to conduct exhaustive, deep-dive manual testing for certain applications and high level continuous tests in other areas," he says.

Cobalt.io's Wong says one benefit customers have reported is that a PTaaS platform allows the results from pen tests to be shared in real time, enabling quicker remediation of discovered vulnerabilities.

"In a DevOps environment where you do multiple code releases and hundreds of builds a day, efficiency is key," she says. "PtaaS provides continuous interaction between the pen testers and security and engineering teams," which can result in better operational efficiencies.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nhannan
50%
50%
nhannan,
User Rank: Author
6/30/2020 | 10:42:23 AM
PTaaS
I'm excited to see how PTaaS makes a difference in the way Penetration Testing is consumed by organizations going forward and as organizations evolve their security practices.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.