Four Ways to Elevate Your Penetration Testing Program
As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Nabil Hannan, the Managing Director at NetSPI, shows us four ways to elevate your penetration testing program.
Let’s set the scene. For years, organizations have undergone compliance-based penetration testing (pentesting), meaning they only audit their systems for security vulnerabilities when mandated to do so by regulatory bodies. However, this “check-the-box” mindset that’s centered around point-in-time testing is leaving organizations at risk for potential exploitation.
From August-October 2021 alone, a total of 7,064 new Common Vulnerabilities and Exposures (CVE) numbers were registered – all of which could go undetected if a business does not have an established proactive security posture.
With malicious actors continuously evolving and maturing their attack techniques, organizations must leave this outdated mindset behind and take the necessary steps to develop a comprehensive, always-on penetration testing program. Here’s a look at how this can be accomplished.
Adopt an ‘as-a-Service’ Model
Traditional pentesting programs operate under a guiding principle: organizations only need to test their assets a few times a year to protect their business from potential vulnerabilities properly. During this engagement, a pentester performs an assessment over a specified period and then provides a static report outlining all of the found vulnerabilities. While once deemed the status quo, there are many areas for inefficiencies in this traditional model.
With threats increasing, organizations must take a proactive approach to their security posture. Technology-enabled as-a-Service models overhaul traditional pentesting programs by creating always-on visibility into corporate systems. For an as-a-Service model to succeed, the engagement should allow organizations to view their testing results in real-time, orchestrate faster remediation, and perform always-on continuous testing.
This hyperfocus on transparency from both parties will drive clear communication, with the pentesters available to address any questions or concerns in real-time – instead of just providing an inactionable static report. Additionally, it allows teams to truly understand the vulnerabilities within their systems so they can begin remediation before the end of the pentesting engagement.
Lastly, when working in an as-a-Service model, pentesters can help organizations become more efficient with their security processes, as they work as an extension of the internal team and can lend their industry expertise to help strengthen their clients’ security posture.
Prioritize Risk, Not Compliance
Many organizations manage thousands of assets, from applications and network devices, to components or sections of their infrastructure. With cyber-criminals able to penetrate 93 percent of company networks, IT and security teams must understand how to appropriately prioritize business tools based on the inherent risk associated with each one.
To effectively accomplish this, there must be a concentrated effort to move away from traditional checkbox compliance-driven testing and a renewed focus placed on risk management. A risk-based security strategy will focus on the following: differentiating assets and risks, ranking the risks, and then pentesting based on what needs to be prioritized in the moment, with the ability to quickly pivot as needed.
Risk scoring, or the ability to score corporate assets based on the risk they pose to a business and compare the risk exposure for each, is necessary to understand how risks should be prioritized.
Organizations can also leverage this type of scoring to rank their different business units or departments, determining which ones have established security measures and which ones need improvement. This transparency builds internal competition between the different lines of businesses so they can work more efficiently to improve their security efforts. In addition, risk scoring allows organizations to compare themselves against peer organizations within their industry and establish a baseline to work off of.
Harness both Automated and Manual Testing
As organizations grapple with the cybersecurity and technology talent shortage, automation has taken center stage. When it comes to pentesting, many have identified automated testing as the model of the future. However, to be truly effective, manual testing must always play a role – no matter how advanced technology becomes.
While there are currently tools and scanners that test for specific vulnerabilities, scenarios, or controls like input, validation, output, and encoding, the technology cannot automatically determine the intent, feature, or functionality of business assets – especially with software being increasingly built and utilized for emerging use cases.
This is where the human component comes in. Working with automated technology, pentesters can test systems to identify the vulnerabilities that technology misses, providing 24/7, 360-degree coverage for organizations. To be successful, pentesting companies or internal security teams must develop a comprehensive testing methodology so automated tools help guide and lead the testing, while humans use their experiences and expertise to uncover business logic vulnerabilities that tools simply cannot find.
While automation is not the perfect solution for a penetration testing program, it is necessary to help manually pentesting teams get started on solid footing. Another benefit? It frees time for the human pentesters to manually test the assets they know the technology may miss – making their role more strategic and effective. With both external threats and corporate software evolving rapidly, humans and tech must work cohesively to provide assured security coverage.
Take a Holistic Approach to Pentesting
Proactive cybersecurity efforts cannot be accomplished in silos. When pentesting various systems, teams must have coverage across all of their assets and systems. While taking a holistic approach can be challenging depending on organization size, it is crucial to ensure there is a proper inventory of what’s being tested, what should be prioritized, and that the inventory remains up-to-date as their organizations onboard additional technology and solutions.
Systems should not be tested separately; instead, they should be viewed as a cohesive ecosystem that must be maintained in order to continue seamless business operations. Ultimately, this visibility into systems gives organizations a deeper understanding of the necessary pentesting strategy to deploy, which will separate security leaders from security laggards.
Pentesting is a strategic asset, and business leaders must view it as such to properly defend their networks from both external and internal threats. While it may take time and effort to evolve corporate mindsets about this traditional practice, up-leveling your penetration testing program is one of the best ways to stay ahead of the curve and discover security gaps before a bad actor does.