As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Eric Fredrickson, the Head of Attack Engineering at Horizon3.ai, shares insights on how the future of penetration testing can better support a company’s enterprise security efforts.
I’ve spent years of my career as a pentester (penetration tester), which is a role where I helped organizations identify security vulnerabilities by exploiting them in a safe environment. I enjoyed the work, too. For one, it’s fun being on the offense, as I was tasked with finding a way to exploit a network while defenders tried to protect everything. My clients had good defensive teams, too, so when I did find and exploit weaknesses, I was competing against some of the best.
The trouble with traditional pentests is that they’re manual, time-consuming processes. Here’s a simple outline for some of the steps involved in staging and launching a penetration test:
- Prepare the testing environment by bringing together relevant technical contacts the tester may need to communicate with.
- Inform key IT personnel of the plan to ensure they know the company isn’t facing an actual attack when the test starts.
- Teams must define the scope of the test and ensure the tester has appropriate permissions to conduct the tests.
- Since pentests sometimes cause issues in the IT environment, you need IT personnel to be on standby.
Overall, organizations should plan on one to two weeks of prep time leading up to the test.
The time it takes to complete the test itself will depend on the organization. If a pentester has ample time, they can cover a more significant portion of the IT environment and spend time on more sophisticated attacks. A complete pentest could last two to three weeks, plus another week for writing up results and recommendations. So, we now have a four-to-six-week lead time for completing a pentest for just a portion of an organization’s environment, assuming the vendor has availability. If you want a follow-up pentest to validate remediation of findings, the clock has to start again.
But it’s not just time that affects these tests—they also require money. Skilled pentesters are in high demand and charge a lot for their services. The single pentest described above could easily cost $15,000 to $50,000 (for a portion of the target IT environment). Few organizations have sufficient budget to scale pentests across their entire environment or at the frequency required to ensure networks remain secure as new systems, users, and applications are updated or added.
All this leads to organizations using pentests sparingly, usually a few times each year. Unfortunately, with the threat landscape evolving at its current pace, a network that’s secure today could open the door to attackers tomorrow due to stolen credentials, poorly executed software updates, misconfigurations, or newly disclosed vulnerabilities. Waiting three to six months between pentests can leave an organization vulnerable to simple attacks.
Speaking as a (former) pentester, things need to change. Here are some of the things the pentesting field needs to improve.
Organizations cannot afford to leave their environments at risk for months at a time. More frequent pentests won’t eliminate the risk of breaches, but they would improve network security. According to the NIST Cyber Security Framework (CSF), organizations should verify through systematic audit and assessment to ensure they have fixed vulnerabilities after updating systems or deploying patches. Unfortunately, even the most prominent organizations cannot afford to hire enough staff or consultants to perform daily or weekly manual pentests.
This means we need “on-demand” pentests that do not require weeks of preparation. For example, organizations should be able to pentest after each software update, even when vulnerability scanners and patch management systems show that security updates have been successful.
Lower Costs (Without Sacrificing Quality)
Traditional pentests are expensive. By some estimates, organizations worldwide spent $1.6 billion on pentests in 2021 and could reach over $3 billion in several years. Most organizations cannot afford to execute traditional pentests as frequently as needed.
High-quality pentests need to be within the means of all organizations. For that to be possible, the cost needs to be reduced by a factor of 10 or more to allow companies to conduct pentests when they need them, not when they can afford them.
Manual pentests require highly skilled professionals, and the shortage of cybersecurity talent at all levels is large and growing. Worldwide there are between 3.5 million and 4 million unfilled cybersecurity jobs. It is unlikely to get better soon, as help from universities is not on the way. So, what do we do? One solution is to remove the human bottleneck for most pentests. They should be “self-service” and available at the click of a mouse, so IT and security professionals can execute one when they need it, not when they can schedule one.
This means real pentests can provide the same results as skilled professionals, not “point and click” one-day pentests performed by interns using canned scripts. These need to simulate real-world attack techniques and chain together exploitable vulnerabilities, misconfigurations, harvested credentials, and dangerous product defaults that exploit a network.
High Frequency, Low Cost, Autonomous Pentests
It is a lot to ask, but autonomous, on-demand pentests can change how organizations defend against a growing threat landscape, making it possible to execute tests weekly instead of several times each year. This will reduce the time organizations are vulnerable to new attack patterns, verify their existing security controls, and ensure that patches to systems solve the intended weaknesses without introducing new ones.
There will always be a need for the skills of professional pentesters, though. Smart humans still add value, and critical systems and high-threat environments warrant manual testing. In those situations, however, automated, autonomous pentesting can help reconnaissance and cover a more significant portion of the system under testing. More importantly, autonomous pentesting brings pentesting and greater security to the masses.
- What Should the Future of Penetration Testing Look Like? - June 6, 2022