Four Ways to Improve Your Penetration Testing Program

As part of Solutions Review’s Premium Content Series, a collection of columns written by industry experts in maturing software categories, Nabil Hannan, Managing Director of NetSPI, shows us four ways to improve your penetration testing program.

Four Ways to Improve Your Penetration Testing ProgramLet’s set the scene. For years, organizations have undergone compliance-based penetration testing (pentesting), which means they only audit their systems for security vulnerabilities when mandated to do so by agencies. of regulation. However, this “tick the box” mindset focused on ad hoc testing exposes organizations to potential exploit risk.

Between August and October 2021 alone, a total of 7,064 new common vulnerability and exposure (CVE) numbers were recorded – all of which might go undetected if a company does not have an established proactive security posture .

With malicious actors constantly evolving and maturing their attack techniques, organizations need to leave behind this outdated mindset and take the necessary steps to develop a comprehensive and ongoing penetration testing program. Here is an overview of how this can be accomplished.

Adopt an “as a service” model

Traditional pentesting programs operate on one guiding principle: organizations only need to test their assets a few times a year to properly protect their business against potential vulnerabilities. During this engagement, a pentester performs an assessment over a specified time period and then provides a static report describing any vulnerabilities found. While once considered the status quo, there are many areas of inefficiency in this traditional model.

With increasing threats, organizations need to take a proactive approach to their security posture. Technology-based as-a-service models overhaul traditional pentesting programs by creating ongoing visibility into enterprise systems. For a model as a service to succeed, engagement must allow organizations to visualize their test results in real time, orchestrate faster remediation, and perform ongoing continuous testing.

This hyper-focus on transparency from both parties will promote clear communication, with pentesters available to answer any questions or concerns in real time, rather than simply providing an unusable static report. Plus, it allows teams to truly understand the vulnerabilities in their systems so they can begin remediation before the pentesting engagement ends.

Finally, when working in an as-a-service model, pentesters can help organizations become more efficient with their security processes because they work as an extension of the internal team and can bring their industry expertise to help. strengthen the security posture of their customers.

Prioritize risk, not compliance

Many organizations manage thousands of assets, from applications and network devices to components or sections of their infrastructure. With cybercriminals able to penetrate 93% of corporate networks, IT and security teams need to understand how to appropriately prioritize business tools based on the inherent risk associated with each.

To do this effectively, there needs to be a focused effort to move away from traditional testing focused on checkbox compliance and a renewed focus on risk management. A risk-based security strategy will focus on the following: differentiate between assets and risks, rank the risks, and then test based on what needs to be prioritized in the moment, with the ability to quickly pivot as needed.

Risk scoring, or the ability to rate business assets according to the risk they pose to a business and compare the risk exposure for each, is necessary to understand how risks should be prioritized.

Organizations can also take advantage of this type of scoring to rank their different business units or departments, determining which ones have security measures in place and which ones need improvement. This transparency creates internal competition between different lines of business so that they can work more effectively to improve their security efforts. Additionally, risk scoring allows organizations to compare themselves to peer organizations within their industry and establish a baseline to work from.

Leverage both automated and manual testing

As organizations grapple with cybersecurity and technology talent shortages, automation takes center stage. When it comes to pentesting, many have identified automated testing as the model of the future. However, to be truly effective, manual testing must always play a role, no matter how technology evolves.

Although tools and scanners currently exist that test for specific vulnerabilities, scenarios, or controls such as input, validation, output, and encryption, the technology cannot automatically determine intent, characteristic or functionality of business assets – especially with software increasingly being built and used for emerging use cases.

This is where the human component comes in. By working with automated technology, pentesters can test systems to identify vulnerabilities the technology lacks, providing 24/7, 360-degree coverage for organizations. To be successful, pentesting companies or in-house security teams must develop a comprehensive testing methodology so that automated tools help guide and direct testing, while humans use their experience and expertise to uncover security vulnerabilities. business logic that the tools just can’t find.

Although automation is not the ideal solution for a penetration testing program, there is a need to help penetration testing teams manually get off to a solid start. Another advantage? This frees up time for human pentesters to manually test assets that they know the technology may lack, making their role more strategic and efficient. With external threats and enterprise software evolving rapidly, humans and technology must work cohesively to provide assured security coverage.

Take a holistic approach to pentesting

Proactive cybersecurity efforts cannot be accomplished in silos. When penetrating various systems, teams need to have coverage across all of their assets and systems. Although it can be difficult to take a holistic approach depending on the size of the organization, it is essential to ensure that there is an appropriate inventory of what is tested, what needs to be prioritized and that the inventory stays current as their organizations integrate additional technologies and solutions.

Systems should not be tested separately; instead, they should be viewed as a cohesive ecosystem that must be maintained in order to pursue seamless business operations. Ultimately, this systems visibility gives organizations a better understanding of the necessary tilt testing strategy to deploy, which will separate the security leaders from the security laggards.

Pentesting is a strategic asset, and business leaders should consider it as such to properly defend their networks against external and internal threats. While it can take time and effort to change corporate mindsets about this traditional practice, upgrading your penetration testing program is one of the best ways to stay ahead of the game. and discover security vulnerabilities before a malicious actor does.

Nabil Hannan
Latest articles by Nabil Hannan (see everything)

Ryan H. Bowman