Penetration Testing: Moving to Maturity
Penetration testing (pen testing) is a very well-established concept in the world of enterprise cybersecurity. Even relatively non-technical business leaders are now more likely than not to have a basic understanding of what it entails. Take on the tools and techniques of a malicious cybercriminal, probe the network perimeter and see if you can discover a way in. It makes sense. It sounds, intuitively, like a sensible approach, and it is.
However, in the decades since penetration testing was first developed as a cybersecurity technique, the cyber threat landscape has shifted dramatically. Traditional penetration testing focuses on a single test period – typically once a year – resulting in a series of outputs and reports, and those reports are typically presented on a series of PDFs which need to be waded through manually.
In a dynamic and digitally-driven world, this model looks increasingly out-of-date.
As such, it is important for forward-thinking organizations to move to a more mature model of penetration testing, one that delivers a more proactive and ongoing approach to testing (and enhancing) security, and enables security stakeholders to understand the current posture seamlessly and clearly.
Penetration testing needs to go far beyond perimeter security and look at application-level vulnerabilities, particularly as cloud computing means that organizations are getting faster and faster at developing and deploying new applications. According to SureCloud’s research, 35% of organizations currently only conduct external network penetration testing, which is simply not sufficient to test against the cyber threats they currently face.
As with so many aspects of enterprise computing, there is a need for movement towards an as-a-service model of penetration testing – Pentest-as-a-Service©.
With results and guidance delivered via a cloud-based platform, PTaaS© enables organizations to tackle the two major challenges associated with more frequent penetration testing: cost, and the ability to act on the results. The former is dealt with because penetration testing is delivered via the cloud, drawing on third-party resource and consuming only as much of that resource as is required. There is no hefty outlay on technology or in-house expertise.
The latter is dealt with by digitizing the penetration test results, so that they are automatically imported into an analytics platform and transformed into clear interpretable dashboards and interfaces, with suggested remediation actions where necessary. These are offered as opposed to the static PDF reports that 50% of organizations receive. Companies receiving reports in static form are wasting time (and therefore money) by not investing in and implementing in more efficient tooling and ways of working.
The good news is that SureCloud has developed and delivered penetration testing services for years. We aren’t new entrants to this space; we are established experts.
Our Pentest-as-a-Service© model is underpinned by our highly configurable technology platform, which means that penetration testing results are available in an intuitive and responsive format, consolidated with the click of a button and reported dynamically. In turn, this means that your current security posture and remediation status can be understood and interpreted immediately – not after your standalone penetration test in a year’s time.
This proactive, iterative and ongoing approach to not only network but also application security, is in clear keeping with the Open Web Application Security Project (OWASP)’s Software Assurance Maturity Model (SAMM) – a model guiding software developers through the secure development and deployment of new applications. Version 2.0 of the SAMM is now being developed, and Chris Cooper, our Cybersecurity Practice Manager, is part of the team currently working on the core model.
As a result, he is best-placed to guide you through why the new version is being introduced and how to use it – in conjunction with concepts like PTaaS© – to move your penetration testing to genuine maturity.
Chris presented the webinar, Everything You Need to Know About OWASP SAMM 2.0 on Thursday 28th February. You can watch the on-demand webinar here.