As threats become much more pervasive and dynamic, organizations are adopting proactive security measures such as penetration testing to build out a comprehensive security strategy.

Pen testing validates that software and hardware controls have been implemented by using the same tools and techniques an attacker would use to uncover vulnerabilities. This way organizations can identify gaps in their overall information security program and measure the effectiveness of their patch management and incident response programs.

However, modern DevSecOps teams need more speed and flexibility than what traditional pen-testing engagements can deliver. Incremental pen-testing programs can help identify and address security gaps more frequently because they focus on smaller segments at a time.

With the needs of DevSecOps teams in mind, penetration testing-as-a-service (PTaaS) is seeing a higher profile.

Development Teams Align Pen Testing With DevSecOps

PTaaS company Cobalt announced its new Agile Pentesting service to help security teams align pen testing with the continuous integration and continuous delivery (CI/CD) pipeline. The smaller pen-test engagements can help extend the reach of security teams and accelerate secure build-to-release timelines.

Andrew Obadiaru, Cobalt's CISO, says that the service's end users are security and development teams who are looking to align pen testing more closely to their DevSecOps processes.

"These are teams who are pen testing beyond compliance obligations and conducting more targeted tests that focus on a specific area of an asset or a specific vulnerability across an asset," he says.

The Agile Pentesting offering allows organizations to focus on a specific area of an asset, such as a new feature or product release, specific vulnerability, or incremental testing.

"Focused pen testing allows organizations and IT teams to quickly determine potential vulnerabilities or security flaws in a specific product or feature prior to deploying into production," Obadiaru adds.

Incremental Pentesting a Risk-Based Effort

John Steven, CTO at automated threat modeling provider ThreatModeler, says part of the prioritization that occurs with incremental pen testing should be the alignment of test scope with new features and release promises.

"This creates natural alignment between delivery and security priority and focus," he explains. "Additionally, there's a quick benefit: Defect studies indicate that where code churns, bugs — and vulnerabilities — are more likely to be found."

"The dirty secret" is that all penetration testing is incremental, Steven adds.

"Exhaustively testing even a small system would take months," he says. "Taking an incremental posture on penetration first acknowledges that the effort is 'risk-based,' prioritizing that which is most impactful and likely."

Second, it allows the activity to fit more closely within the cadence of delivery so that its results can be acted on with minimum (if any) exposure time of vulnerable systems in production.

"Confining penetration testing efforts to those things threat modeling indicate are high impact and potentially likely for a worrying population of adversaries is perhaps the most key optimization organizations can make," he adds.

Dave Gerry, chief operating officer at Bugcrowd, a crowdsourced cybersecurity specialist, says a long-standing challenge with pen testing has been the "point-in-time" nature of the tests.

"At some predefined period of time, the test is completed against the then-current version of the application and a report is delivered," he says.

The challenge is that development changes significantly over the course of years; by the time a pen test is completed and the report is delivered, the information is often out of date due to application changes.

"By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround," Gerry explains.

This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure within scope.

Automation Aids Continuous Testing

Given resource constraints faced by the infosec community, continuous testing will require an approach that maximizes use of testers and offloads work that can be automated, says Jason Rowland, vice president of penetration testing and cloud services at Coalfire, a provider of cybersecurity advisory services.

"Utilizing platforms to perform attack surface discovery and vulnerability identification, as an example, will become prevalent as we unlock the true value of offensive security," Rowland says.

As an industry impaired by the sheer volume of vulnerabilities, security alerts, and frameworks, prioritizing the behaviors of the adversary provides clarity and facilitates better decisions on the use of finite security resources, he says.

"This model is being adopted and will continue to gain prevalence as organizations focus on activities that deliver the specific outcome of minimizing the impact of security incidents," Rowland notes.

While pen testing is a modernized approach to enhanced security, this process and method will continue to evolve — especially as cyberattacks become more commonplace and complex, Cobalt's Obadiaru adds.

"Security tools will need to remain strong and keep up with heightened demands," he says. "It's likely we'll also see increased use of pen testing in nontraditional security areas, such as mergers and acquisitions, assurance, and regulatory compliance."

PTaaS Offers Real-Time Insights

Gerry notes an increased shift from traditional pen testing to PTaaS in the past few years.

"Rather than point-in-time assessments, organizations are leveraging pen testing as an important tool in their risk and security program, rather than a necessary evil to maintain compliance with internal or external requirements," he says.

By leveraging a PTaaS offering, he explains, security teams gain the ability to view results in real time via a SaaS platform, integrate pen testing into their development and security product suite, and institute ongoing testing across retests, focused-scope testing, and new product capability testing.

"Every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced," Gerry says. "Security organizations must maintain the ability to gain real-time visibility into the current posture — both from a risk governance perspective and from a compliance perspective."

As organizations begin to prioritize defense and detection capability investments based on the tactics, techniques, and procedures of the actors most likely to target their organizations, the role of offensive security has become increasingly integrated and central to the success of the security strategy, Rowland says.

"Since the tactics of the adversary and attack surfaces are dynamic, offensive security must continuously validate that the program is keeping pace," he explains. "Regular testing is necessary to drive and validate adjustments to defenses based on new intelligence, architectural changes, or the introduction of new assets."

ThreatModeler's Steven believes that many people think of penetration testing in an "attacker-centric" way, forgetting that penetration testing is a highly technology-specific pursuit when it comes to software and platforms as well.

"We found that specialized teams were necessary for ATMs, automotive, healthcare, Web, and mobile," he says. "Still others handled mainframe and OS-level penetration testing."

As applications move to the cloud, penetration testing and the teams servicing that activity must adapt, Steven adds.

"The cloud isn't a single monolith — it's several major providers, each with tens or hundreds of specific APIs and control sets," he says. "Penetration testers will have to use tools to discover sprawling cloud-based assets no longer confined to a data center or IP range and then quickly become experts in the tech stacks used by any in-play orchestration platforms, control planes, and providers."