Penetration testing is based on the premise that one of the best ways to safeguard the enterprise is to pretend to be a hacker and find the number of ways you can break into a business.
The FBI uses this strategy. It often recruits criminals such as forgers and thieves who proved especially effective at crime and in thwarting the efforts of law enforcement. These former criminals become consultants who are highly skilled at spotting scams. Frank Abagnale is one of the most famous, the subject of the movie, “Catch Me If You Can”.
Penetration testing is a formalization of this approach. A series of tools have been developed that are designed to automatically probe the network and systems for different weaknesses.
Here are some of the top trends in penetration testing:
1. Understand the external attack surface
Nabil Hannan, managing director, NetSPI, has noted a greater focus on testing and understanding the external attack surface of organizations.
Over the last two years, with the shift to working from home, businesses had to make drastic and rapid transformations in the way they operate. As a result, not only did the threat model of their business change, but the external facing attack surface of their organization evolved.
Enterprises now have assets that are exposed to the internet and are regularly changing — and these changes are occurring more rapidly with cloud-hosted systems. That’s one of the drivers behind attack surface management solutions, such as NetSPI’s ASM. They are being leveraged by organizations to continuously monitor attack surfaces and proactively identify any areas of risk in a timely manner.
“Creating and managing an accurate inventory of internet-facing assets and being able to identify potential exposures and vulnerabilities have become key focuses for many organizations,” Hannan said.
2. Incremental and more frequent testing
With software development moving to a more agile life cycle, organizations are starting to introduce penetration testing on a more frequent basis to align with software development sprints, according to Hannan with NetSPI.
As penetration testing is a manual process performed by humans, it can be time consuming. Therefore, doing full penetration tests every sprint or every few sprints often is not feasible or realistic.
“Instead, organizations are starting to do more focused incremental penetration tests on their applications as they change,” Hannan said.
“They do this by focusing on the areas of the application that are new or are being modified. This allows for faster rounds of penetration testing that can be aligned with software development sprints.”
3. Pen testing-as-a-service
Organizations are also focused on ensuring that they can take penetration testing results and automatically manage vulnerabilities identified through their defect tracking systems, such as Jira or ServiceNow.
In order to better manage the vulnerabilities from their testing, they look for penetration testing-as-a-service (PTaas) platforms that provide integration with their defect tracking systems and can programmatically submit vulnerabilities, or defects, to be tracked and remediated through the development team’s defect tracking system of choice.
4. DevOps meets security and pen testing
Andrew Obadiaru, CISO at Cobalt, forecasts that the cybersecurity responsibilities of both DevOps and security teams will become more intertwined than ever due to organizations adopting DevSecOps.
Security regulations are becoming more commonplace. Teams must expand their scope to ensure compliance with security laws. For example, it’s likely that more states will enact consumer data privacy laws and regulations for organizations reporting breaches as they occur.
“Automation will play a key role in closing the security gap and speeding up the remediation process as teams increasingly leverage automation,” Obadiaru said.
“Identifying and monitoring for suspicious activity using automation will enable security professionals to act quickly and intercept threat attempts and thus improve response time.”
5. Supply chain attacks
We’ve seen a continued increase in the number of cyberattacks resulting from exploiting vulnerabilities within the supply chain.
For enterprise organizations, supply chains are often extensive and complex.
But Dave Hewson, co-founder and CEO of OnSecurity, believes few are putting enough pressure on their suppliers to demonstrate security best practices. After all, business supply chains will always be a key target for attackers, gaining access to a company that provides software or services to many other companies. Where else can an attacker gain potential access to many organizations that easily and quickly?
“The supply chain attack is a trend that is likely to continue for some time,” Hewson said.
“It is important for businesses to prioritize this attack vector and implement processes and use technology to help mitigate the risk.”