Building a new approach to security with the next generation of penetration testing

For as long as businesses have relied on critical software, penetration testing has been a staple in the toolkit for corporate defense. From tiger teams to automated testing, security testing gives businesses peace of mind when managing vulnerabilities and how they might be exploited in real-world attacks. 

But it’s natural for processes to fall out of favor, or be replaced with better methods more in tune with how things work now. Traditional penetration testing is an example of an accepted practice that served a purpose and proved highly effective in the past, but downsides are now emerging.

There are, for example, challenges that center around hidden costs as well as the consumption of resources. They also capture a static snapshot of the state of play, meaning they fall at risk of becoming outdated and irrelevant as time goes on. 

Pen testing still has a place in testing the security of web apps and can still give businesses the reassurance they need when assessing how robust a system is. In today’s dynamic digital landscape, however, it’s more effective as part of a wider and more comprehensive approach. Pen testing as a service (PTaaS) is an evolution of pen testing that combines the benefits of traditional human-led testing with continuous vulnerability scanning for agile development cycles. But that's not where the story ends – Outpost24 takes that approach a step further yet. 

The downsides of penetration testing 

Businesses must be wary of the economics of classic pen testing, as it can be easy to overlook the hidden costs associated with the practice. In one hypothetical example, outlined in a white paper by Outpost24, a pen test is given a forecast cost of $7,500 – with the quote broken down as $750 per day for ten days. Other factors are at play that could not only extend the budget but the time it takes to complete the process, however.

An organization must factor in its internal costs such as tendering the offer of the contract, which might take a couple of days of its team's time. Appointing the vendor and negotiating the contract, too, might take approximately five days, with several more days on top to agree on a start date. There are also post-test time costs such as reviewing the report, creating remediation issues, and conducting the remediation. Taking these factors into account, a $7,500 job can balloon to a $20,000 expense, including staff's time consumed by the process.  

Meanwhile, the most common and cheapest type of pen testing – known as 'black box' testing – might not be entirely helpful. In this kind of pen testing, the tester is given no background information about a company and its tools, applications, or systems before attempting to test the security of a web app. This is more likely to reflect a real hacker's experience but operates in a restricted time frame; a real hacker, on the other hand, would have as much time as they liked to try exploits. One also needs to place full trust in the individual or group that's conducting the pen test, which is easier said than done.

Failing to employ realistic test conditions may influence the validity of the final report, no matter how many other considerations were made. A pen test needs to provide an accurate reflection of what may happen in the real world to be valuable to security stakeholders in a tangible way.

Given the fast pace of modern development cycles, it makes little sense to place full trust in a single state of play snapshot provided through a final report. Point-in-time weaknesses or vulnerabilities may, over the subsequent weeks and months, be resolved while other opportunities for exploitation are introduced into a web app's codebase. Stakeholders need to glean a perpetual understanding of their security outlay, but this makes deciding and budgeting for frequent testing a challenge. As businesses move to adopt approaches led by continuous overview, pen testing fits more and more uncomfortably in any IT security toolbox.

The evolution of penetration testing

While pen testing has its uses, PTaaS enhances its benefits while reducing its downsides. With PTaaS in place, organizations can deploy a continuous cycle of testing and remediation that lives up to agile environments – with web apps benefitting from a continuous stream of updates, improvements, and fixes.

PTaaS goes one step further than pen testing because there is no 'final report'. Instead, businesses access an interface with up-to-date results and risk scores that reflect the latest information and intelligence businesses could ask for. Remediations are also validated instantly, with rapid reporting methods meaning developers can carry out fixes in conjunction with the pen testers' methods and processes. In that vein, there's also continuous communication between in-house staff and pen testers – with relationships and working dynamics evolving.

Some companies have taken PTaaS to the next level: Outpost24’s SWAT solution, if deployed in one’s business, can combine the benefits of manual pen testing with vulnerability scanning and risk scoring. Outpost24's highly skilled and experienced pen testers will give the most accurate view of vulnerabilities – including backdoors and business logic errors that scanning might miss – while automated scanning speeds up processes and enables continuous monitoring. The intelligence gathered feeds into a risk index that helps the business identify where it can focus any remediation efforts and prioritize areas to address. 

There's a reason that pen testing has persisted for more than 60 years as a staple in security practices. But in the modern age, building on this tried and tested method – baking in perpetual testing and support with PTaaS – is key to ensuring an organization remains on top of its web app security needs.