Luke Potter, head of cyber-security practice at SureCloud, explains how standard penetration testing models leave customers in the dark, and what can be done to improve support after exposing an organization’s vulnerabilities
Penetration testing (Pen Testing) is a valuable service that let companies know where the vulnerabilities in their systems, applications and processes are. As organizations adopt an increasing number of cloud solutions and services, and as cyber-attacks rise, the demand for pen testing is set to rise at a compound annual growth rate (CAGR) of 13.9% over the next ten years.
This is partly driven by the continued threat of data breaches, which are becoming more numerous and severe attracting the public’s outrage with companies who aren’t careful with data, is seeing pen testing become ever more critical to businesses. And with GDPR coming into force in May, introducing potential fines of up to €20m*for those that fail to protect their customers’ data, it’s likely that more organizations will be turning to pen testing to help them achieve maximum security for their data.
However, while there is growing demand for pen testing, it is critical that organizations ensure they work with providers that utilize the latest methods to ensure optimal effectiveness.
Today’s way – Pentesting results delivered in a PDF report
Currently, most organizations tend to procure penetration testing on a one-off or annual basis. It’s then performed by a vendor and results are delivered in a static report on the organization’s vulnerabilities. The organization is then responsible for interpreting the results and enacting changes based on the recommendations provided. Managing the remediation process this way is not only inefficient, but it’s ineffective and can lead to errors, wasted time, and unresolved issues.
After a pen test is complete, most testing providers leave their customers with a PDF that is potentially hundreds of pages long. They will be given lists of things to resolve, but extracting a to-do list from the report ends up in cutting and pasting information, putting it into emails, annotating it, and trying to create spreadsheets out of the information provided in the report. As such tracking what you’ve fixed and what you haven’t is particularly difficult.
Revolutionizing the Pentesting – Pentest-as-a-Service
A better model, on the other hand, can be achieved when providers offer pentest-as-a-service (PTaaS). The scope of this could operate as a 12-month based engagement in which the vendor performs pentests as required, and delivers the results in an interactive cloud-based platform, providing ongoing support throughout the remediation cycle. This allows the customer to focus on where their work starts rather than where the Pen testers’ work finishes.
The ideal Platform will enable customers to manage their entire remediation process, extract customized reports of the vulnerability data, assign vulnerabilities to individuals or teams for resolution, and collaborate with other teams or individuals within the system. It would be provided in an accessible format, with continued support from your Pen Testing team to help interpret any nuance of the report or general guidance around cybersecurity best practice.
Why should organizations adopt the Pentest-as-a-Service model?
This subscriber-based model is much more cost-effective than the traditional one. Instead of conducting the remediation process on your own, the new pentest-as-a-service model offers direct access to your cybersecurity experts, who identified your vulnerabilities. This helps your organization’s IT team manage remediation efficiently and effectively, leaving you more secure.
Also, PTaaS provides the flexibility and scalability demanded by businesses that may also require more Pen Testing than they once did. Previously, when organizations’ IT was more static and applications and hardware were deployed less frequently, a single annual test on a business’ networks or applications was adequate.
However, with IT now more dynamic and constantly changing, the typical organization now deploys more new applications than they used to, all of which comes with the increased risk of inadvertently introducing a new vulnerability. The ‘annual’ penetration test cannot keep up with the pace of business change, whereas, in contrast, PTaaS provides the scope for conducting multiple tests throughout the year.
Furthermore, the PTaaS model provides these reports in an interactive Platform rather than a static report, enabling each vulnerability to be addressed much more effectively. This removes the need for data to be extracted to track and manage remediation, ensuring that issues are not missed or overlooked as businesses handle multiple reports.
With the increasing reliance on Pen Testing, it’s clear that current models can no longer deliver the level of assurance in security as they once did. What’s needed is a service that not only exposes organizations’ vulnerabilities but helps them patch them up effectively and efficiently.