Pentesting is Just the Beginning

In a world where automation, Artificial Intelligence, and cryptocurrencies are the main drivers of a new tech revolution, security engineering skills like pentesting, cloud security, or the blue team gap become wider. It is no secret that the rising demand has created a substantial market for contract-based pentesting - a gig-style, one-and-done arrangement driven by global freelancing and bug bounty platforms.

Dragos Stanescu - July 13, 2021
  • Security Engineering
  • C-Level
Pentesting is Just the Beginning
WORD AHEAD

'There are two ways of spreading light: to be the candle or the mirror that reflects it.' - Edith Wharton 
HOW REAL EXPERTISE UNDERLIES SECURITY SKILLS AS A SERVICE

Penetration testing is an essential cybersecurity service. It’s one of the only reliable ways to test the efficacy of the security systems your team has implemented, and rising demand has created a substantial market for contract-based pentesting—a gig-style, one-and-done arrangement driven by global freelancing platforms.

We also run a closed global resource network service, and, technically, the professionals from our network also offer pentesting as a service. But our business model is much, much more specialized. Thanks to a unique set of skills we learned before starting a cybersecurity career 21 years ago, our onboarding process backed up by an AI-driven algorithm selection criteria, and the overall team assembly matching criteria, we are entirely different and more efficient than the current standard and, frankly obsolete approach, applied by our competitors—only this way we can offer Security Skills as a Service (SSaaS) business model.

Security Skills as a Service is a comprehensive and adaptable service offering that includes assessment; customized and purpose-specific testing; education, guidance, and recommendations; in-depth discussion of innovative and original options; access to informational and technical resources; and best-in-class security solutions.

It is made possible by the way we build our workforce. The Security Hubs' network consists exclusively of elite security engineers, trustworthy professionals who are highly educated and bring a minimum of five years of hands-on experience supporting top US business and other global companies, from startups in their journey looking to build a solid cybersecurity foundation, up to addressing complex security problems often noticed in corporate environments. We think of them not just as specialists but as modern-day craftspeople.

The security test should try fingerprinting, enumerate active services and open ports, validates, and exploits known vulnerabilities in your network infrastructure, on-premises, or the cloud, helping to keep your sensitive information and systems better protected. While the final benefit of executing security, testing remains somewhat the same for all the infrastructure penetration testing type, a couple of key differences between them should be mentioned as follow:

CONTRACTORS AND CRAFTSPEOPLE



Before the industrial revolution, quality couldn’t be assured using reputable, automated processes. There were no assembly lines, no QA teams, no Six Sigma, and no mass production of identical components. Instead, quality came from craftsmanship—from the kind of comprehensive, adaptable, practical expertise that can only be achieved through years of project-based work in a specific domain. Where Adidas' ultramodern factories rely on fully automated, triple-checked manufacturing, a medieval cobbler would have relied on a thousand small skills to guarantee that every pair of shoes was a perfect fit for its future owner: identifying just the right leather by smell and feel, working an awl, measuring feet with chalk marks, compensating for the shape of individual arches and toes, carving wooden “lasts” to support the leather as they worked, and on and on. The British Shoe Company says that its master shoemakers perform 260 distinct processes for every pair they make.

Of course, in most industries, real expert craftspeople have long been replaced by automation and standardization. In many cases—especially in manufacturing—the results have been extraordinary, with the personal expertise of master crafters slowly built into the injection molds and computer-controlled cutting, sanding, polishing, and printing processes that modern manufacturing relies on.

But there are still some areas where craftsmanship is needed. This is most true in service domains where the service rendered is highly context-sensitive. Where each case can be substantially different from the last. Here, the traditional skills of a master craftsperson are needed—not the 260 skills for making a shoe, of course, but the “professional vision” that allows a true domain-specific expert to assess a messy, complicated situation and immediately understand what needs to change.

There’s only one way to develop that kind of skill, and that’s to solve hundreds of different, disparate problems with excellent supervision in real-world, real-stakes environments. That’s how apprenticeships have always worked, and it’s how security professionals in other industries learn to coordinate and work together.

THE CRAFT OF PROFESSIONAL PENETRATION TESTING



Consider the typical pentest report. It’s either generated automatically or filled in by hand from a standardized template. It’s disorganized, hyper-technical, and mainly incomprehensible to non-specialists. If you’re lucky, it might be supported by an issues library or taxonomy, but that’s it. It is of very little value to top-level decision-makers who need actionable, well-structured information that enables them to evaluate their options with respect to relevant context and outcomes considerations.

Such reports often lack either executive summaries and reference sections or omit crucial process-based aspects of the assessment, such as details of reproducing vulnerabilities that have been identified (to allow for repeat testing) and recommendations for remediation (actually to solve the issues described).

A "Specialist" delivers something altogether different. We offer a quality-controlled process that combines education and expert advice with a thorough review of underlying systems, threat modeling results, an insightful comparison to relevant alternatives, a description of options for moving forward, and, yes, also a thorough best-in-class round of penetration testing.

The degree of skill and experience that Security Hubs' team members offer means that they don’t function as gig workers, often seen with other platforms brought in to perform a single analysis and deliver a specific result. Instead, they’re consulting experts, able to assess the complete security situation of a client’s servers and web presence, offer flexible, customized guidance in a collaborative workflow, and draw on extensive background knowledge that includes system administration, cloud migrations and automation, source code reviews, and a host of other processes and procedures. In other words, they’re true craftspeople: they’ll look at where you are and explain how to get where you need to be.

We’d love to show you what our people can do. You can explore the Security Hubs' services here. To get a real sense of how we can help—and how your company can benefit from real expertise—get in touch with our team. We can't wait to amaze you!

Stay in the loop

Join our newsletter to get top security news before anyone else.