Penetration testing is delivered by certified and expert testers and is very likely to be part of your business’ security control set.
But with a variety of testing concepts, methodologies and vendor services available on the market, have you ever stopped to explore whether your pen testing program is delivering the value you expect to your business?
This article will explain the answer to this question.
As detailed in CovertSwarm’s recent What is Penetration Testing? and The Importance of Penetration Testing articles, pen testing is a simulated cyber-attack. It is performed against an organisation’s IT network, web applications or other technology systems by an individual, or team of security specialists, whose engagement is authorised by the organisation and designed to validate the security of its various internal and external assets.
Penetration testing is delivered using a defined methodology and is normally staffed by a certified penetration tester who is well-versed in most common and relevant penetration testing concepts.
So far, so clear, and it would be natural to believe that ‘value’ is therefore delivered as a result of such expert cyber engagement that is founded upon tried-and-tested schools of thinking and approach? This belief, however, is often far from the reality of what value, if any, actually materialises from traditional pentest engagements:
Penetration testing is a fascinating, technical and complex industry to operate within, and the pen test industry is filled with talented people who have established globally-agreed and adopted methodologies and approaches and developed the talent to back their delivery through commercial means.
So, what is the fundamental problem with penetration testing and why does it struggle to deliver the value expected?
The issues is that penetration testing has become outdated. It was designed for a time where we were all based in physical office locations, with on-premises server rooms or data centres that sat quietly behind firewalls within demilitarized zone (DMZ) networks that protected our critical assets and other internet-exposed services. Our perimeter network and – critically - our attack surface rarely changed. We updated our public web applications infrequently, our operating systems and applications even less frequently, and the ‘pace’ of technology change was glacial in comparison to the environment within which we all recognise our commercial world to exist today.
Slow-evolving networks don’t exist in modern, fast paced businesses. Increasingly the world’s workforce sees its teams spread globally and rarely (if ever) concentrated into singular ‘corporate’ physical locations. The exodus of technology architectures from the shackles of on-premise datacentre, in order to benefit from the advantages of the Cloud and Software-As-A-Service (SAAS) solutions have served to further empower the remote work force, and encouraged only further physical fragmentation of our teams, networks and applications architectures.
This positive and dynamic movement from static to highly-dynamic technical infrastructures in combination with the ability to change at pace, has had a significant impact upon the cyber-attack surface of most organisations.
If we now consider the impact of the further increases to this ‘change velocity’ that Agile software engineering practices and DevOps have enabled for thriving organisations, and ask ourselves the question – “Is the ‘legacy’ approach that penetration testing brings to our modern organisation adding the value I expect?”
…the likelihood is that your answer will be a firm ‘no.’ How much has already changed just this week in your organisation?
Traditional, legacy penetration testing cannot keep pace with modern rates of business and technology change. The ethos that underpins legacy penetration testing is that “point in time” testing is enough. And this is no longer true. Any approach that ‘sets a scope’ for its testing; adds a finite start date and end rate; and delivers a ‘final’ report for you to consume at the end of the engagement delivers value for only the moments that testing occurred. The results of which are out of date the moment they are published.
We call this reality of legacy testing approaches the ‘Cyber Risk Gap’ - the resulting, undetected security holes that emerge and induce risk once the testing ends, and your consultants leave the building. Perhaps not scheduled to return for 6 or 12 months?
Your business deserves better – better security, improved cyber assurance, and constantly-updated vulnerability reporting.
At CovertSwarm we provide constant cyber-attacks and focused research. We maintain a 10,000-foot view of your organisation’s cyber status, and zoom in and zoom out in a never-ending search to identify and exploit your next point of cyber compromise – notifying you of the risks, and supporting their remediation before genuine threat actors are able to exploit them.
With CovertSwarm your whole organisation is our scope. Through targeted research and intelligence gathering we filter the traditional ‘noise’ that is generated by legacy pen testing to help you and your internal team focus on the remediation of your unique zero-day vulnerabilities and maintain the commercial rates of change that keep you competitive.
CovertSwarm’s team of ethical hackers began their careers delivering extensive offensive security, defensive security, penetration testing, red teaming and covert offensive operations. The team has in excess of a centuries' worth of practical experience between its members that continues to expand and gain sophistication as our Swarm grows, our client base increases, and we continue to attract and recruit the world’s most talented people.
Our Swarm is always watching, probing and keeping pace with our clients business - delivering cyber assurance and genuine commercial value to them. Every day.
Get in touch with us today and learn how we can modernise your offensive security approach and start delivering the value you expect from your cyber security program.