Pentesting in a Changing World - Where Do We Go from Here?

To put it mildly, cybersecurity has never been more critical. As the world has become more connected and the people in it have become more technologically literate, businesses across the globe are facing more security threats than ever before.

Cory Wilkes - April 30, 2022
  • Penetration Testing
  • C-Level
Pentesting in a Changing World - Where Do We Go from Here?


NARRATIVE

It's a no-brainer that any company worth its weight should have sound cybersecurity measures in place. But what's equally important and often overlooked, is that those measures should be regularly tested to inform businesses of any potential threats before they happen.

That's where offensive security engineers come in. As they come from various backgrounds and handle niche skills set, they represent the upgraded version of current penetration testers/ethical hackers who, with the company's permission, attempt to compromise organizations' systems to probe their posture and reveal any weaknesses. They are a vital part of security work, and without them, unauthorized cyber-criminals would have easy backdoor access to business's digital assets.

Like most technologically influenced areas of expertise, cybersecurity is a rapidly changing field, and the truth is that the original pentesting techniques and practices are becoming outdated. In an era where automation is on the rise and software development produces more intricate and complex applications, manual pentesting is a field of expertise that must evolve to survive.

THE PROBLEMS OF PENTESTING IN THE MODERN WORLD

There is an intrinsic value that rigorous pentesting with a pair of human eyes brings to the table for most companies. This value is recognized by business professionals across a host of different industries, but the way they get those human eyes on their security system is almost always different from their competitors. Some opt for traditional routes, using an external team of consultants to probe their defenses to weed out security concerns. Occasionally, they will use those consultants to address the problems they encounter. Others will organize a bug bounty, where the company opens up to the cybersecurity world and pays bounties to anyone who uncovers security concerns on their websites. Others will employ a team of in-house security specialists to test their measures.

Each one of these has its advantages that they bring to the table, and they also have their challenges. In this article, we're going to look at two of the main human pentesting solutions that businesses use: traditional consultancy pentesting and bug bounty pentesting; we're going to explore the advantages and challenges faced by each one before going on to suggest a comprehensive solution to these challenges.

TRIED AND TESTED - CONSULTANCY PENTESTING

Consultancy-based pentesting is the bread and butter of the penetration testing world. While certain companies have a dedicated team in their employ to carry out pentesting, also known as a 'red team', most businesses in the digital sphere tend to gravitate towards the traditional model of outsourcing the work to an online security consultancy. This model sees a consultancy carry out the 'cyberattack' and provide a comprehensive audit report on the security weaknesses they encounter and how they came across them.

- The Advantages of Consultancy Pentesting

There are many advantages to sourcing out the work to a consultancy. At its most basic level, consultancy pentesting gives your cybersecurity that human touch. Professional pentesters will use creative paths and business logic to highlight security issues that might be completely missed by an automated pentesting application. Most successful cyber-attacks are carried out by human hackers rather than their automated counterparts. These hackers will use creative and inspired ways to break down your defenses and access your networks. Hiring a consultancy firm to pentest means you fight fire with fire. Pentesters think along the same creative and inspired pathways as your potential hacking threats. In short, nothing beats the work of a human pentester.

Another major benefit that working with a consultancy brings is trust. Pentesting consultancies run rigorous background checks on their teams of cyber experts to ensure their trustworthiness, confidentiality, and above all, their skill levels. Working with a consultancy means you know you are in good hands since, after all, you can vet them before you work with them using reviews, recommendations, and word-of-mouth. Security consultants adhere to strict, legally binding contracts that have contractually solid confidentiality agreements, meaning you can rest assured that any security weaknesses revealed will stay between you and the consultancy. This level of trust has fuelled productive relationships between businesses and security executives since the early nineties.

Finally, there is the expertise you get from outsourcing to a consultancy. It is in the best interests of every cybersecurity firm that they get the best ethical hackers on the market as their employees, and by extension, that is what you will receive as their client. Cybersecurity firms actively fill specific roles within their companies so that they can cover most elements in the broad spectrum of cyber threats. This widespread expertise means you will get better coverage of your security system. You will be made aware of more specific, more exact, and unique security issues than you would with an automated system or a bug bounty. cybersecurity firms are so trusted and valued by the security community that third party pentesting is mandatory for various international standards agencies and compliance certificates, one major standard being the Payment Card Industry Data Security Standard (PCI DSS).

- The Challenges of Consultancy Pentesting

The biggest challenge to pentesting is the price point that traditional cybersecurity firms have established as status-quo. Because of the value of the expertise that consultancy pentesting brings to the table, many clients balk at the price of traditional pentesting. They will instead pursue other avenues that cost less but consequently achieve less than stellar results or provide a higher noise-to-signal benchmark.

Cohesiveness between in-house teams and the consultancy firm is another challenge faced. Friction arises when technicians and security staff in the client's employ are required to maintain regular contact with the consultancy and carry out the necessary work to address the results of the tests. This takes up resources and time that those engineers and security executives simply do not have the capacity for. Most regard it as a necessary evil but a time, resource, and money-consuming evil, nonetheless.

The next challenge is the fact that many pentesting consultancies do not go beyond providing a report of their findings. They will stop short of fulfilling the next steps. These next steps are equally important parts of the security breach mitigation procedures. These procedures include prioritization, extended analysis, and ultimately, resolution. Traditional cybersecurity consultants will leave these integral steps to the client, who will then need to spend even more money, resources, and manpower on mitigating the risks. It can leave clients frustrated and less inclined to opt for consultancy-based work over freelancers or bug bounties. The immediate obvious way that consultancies can tackle this issue is by improving their post-report support, offering prioritization suggestions, and re-testing after mitigation has been attempted. Of course, this solution opens its own roster of challenges to be overcome, such as higher prices to compensate for the extra work and the fact that the consultancy may not have the capacity for the new mitigation and prioritization stages.

That brings us nicely to the final challenge, which is one of capacity. Pentesting is a highly specialized practice that requires a diverse spread of skillsets over an entire team. It can be hard to employ just a single pentester for a specialized role, never mind an entire team. As a result, there are few consultancies able to keep up with such high demand for talent. Assignments get fully booked quickly and rapidly, filling up for months or more. This leads to problems for clients because the extended timeframe rarely matches up with the fast-changing nature of modern-day software development, which is based on iteration and constant updates. By the time the pentest results are delivered, the nature of cybersecurity threats has evolved again. It is almost like creating a vaccine for a rapidly evolving 'bug'; by the time the vaccine is tested and ready to put into place, the 'bug' has evolved again, rendering the vaccine obsolete. Until pentesters can provide the results early or adapt effectively to the life cycle of modern software, they will always be left behind.

THE NEW KID ON THE BLOCK - BUG BOUNTIES

The name 'new kid on the block' is probably a misnomer. The idea originally goes back as far as 1983 when Volkswagen promised one of their cars to anyone who could find a bug in their revolutionary new operating system. But in the last decade, bug bounties have become an ever more popular pentesting solution, where companies challenge freelance pentesters around the world to find bugs in their security systems. The companies then pay a bounty for every bug found. Like every pentesting technique, bounties have their advantages and challenges.

- The Advantages of Bug Bounties

Whenever anyone in the security industry discusses bug bounties and why they use them, inevitably, the first thing that comes up is the cost. Bug bounties are a cheap alternative to traditional pentesting because, essentially, you only pay for the security threats found rather than paying for a contracted length of time. If a bug bounty returns no security issues, you pay no bounties, and you will have had your security measures probed by a wide range of security researchers. If a bug bounty does return a security issue, then you will pay a one-off fee which, chances are, will be less than you would have paid for the contracted services of a consultancy. You pay per result, which remains an attractive choice for many businesses.

There is also the handy practicality of bug bounties. As a pentesting solution, countless internal teams within client businesses find it much easier to deal with posting and updating bug bounties and responding to reported security issues than maintaining a contract with a consultancy. As a rule, you can initiate a bug bounty program quickly and easily, either independently or through vendors, and open up your code to a security researcher with a range of expertise. You can ALSO modify the requirements swiftly - a helpful thing to be able to do when considering the rapidly changing nature of software development that we mentioned earlier. All this can be done without setting up meetings, discussing invoices, and maintaining constant and resource-draining communications.

- The Challanges of Bug Bounties

Going down the bug bounty route of pentesting does have its challenges, of course - namely, that the lack of a contract means that you are opening your code to hundreds, potentially thousands, of security researchers. Those numbers and the fact that the researchers are under no obligation to share with you the details of how they uncovered the security breaches means that the amount of data you can get from their reports is minimal. They won't tell you how they found the breach, what methods they used, what software they worked with; all the data points and insights that you would get from any decent consultancy pentesting report. Further, you will not know to what extent of the code they tested. Because you will not know their expertise levels, there's a lot that could fly under the radar that you may never know about. This, however, is remedied to some extent because of the large number of pentesters involved.

While we covered that bug bounties can be more practical, there is another, more complicated half to the story. Bug bounties can result in numerous breaches being reported, which will all need dedicated teams to scour through for their validity. This requires communication lines being set up with individual researchers, which brings its problems of responsiveness and availability. Those breaches that come up positive will then need to be remedied and mitigated, which requires the cooperation of the researcher and more resources being set aside to complete the work. In short, bug bounties take up a lot of time and patience in their management and their application to your business model.

Then, of course, there is the challenge of creating the bug bounty in the first place. You will need to create one that hits the perfect balance between being cost-effective and wide-ranging, while also offering fair and attractive terms for the security researcher community. It must be a bounty that is adaptable and must keep potential testers interested in the long term. One of the problems with bug bounties is that many companies use them, including big names like Google, PayPal, and even the US Government. These big names have a lot of resources, meaning your bug bounty will be competing for the time of security researchers against companies that can put a lot more financial weight behind each bounty. Smaller businesses need to keep on their toes to keep researchers interested.

THE BEST OF BOTH WORLDS - SECURITY SKILLS AS A SERVICE

As outlined above, neither traditional pentesting solutions nor bug bounties are perfect methods of testing your cybersecurity. While both bring unique benefits, they also get bogged down by practical, financial, and functional problems that neither can fix.

This is where Security Skills as a Service comes in. Security Skills as a Service combines a SaaS platform with a closed managed global network of offensive security engineers, allowing businesses to maximize their security programs output by focusing on assessing gaps an fixing pivotal vulnerabilities. To put it in a simpler way, it is pentesting on demand but with the right ingredients.

The benefits are innumerable. You get all the expertise, the customer care, the trustworthiness, the vetted researchers, and the professionalism of consultancy pentesting with the flexibility, the ease-of-use, and the cost-effectiveness of bug bounties. And all of this is collated into a handy platform. Best of all, this kind of fast reacting to security concerns means you will be able to address issues as soon as they appear, thanks to rapid-fire testing and mitigation expertise.

At Security Hubs, we did not invent pentesting on demand, but we absolutely believe that it is the way forward for modern security testing. That is why we focus our pentesting approach around the Security Skills as a Service model. We know that the problems of pentesting are not on the client's side of the house. They are on the service providers' side, and we are working hard to make our pentesting service one of the best and most customer-focused around.

Given the current challenging global environment, Security Skills as a Service model is uniquely positioned, and we want to build on our past successes to make the process of offensive security testing as efficient for our clients as we can.

Our three pillars: professionalism, simplicity, and above all, we are obsessed with our clients. If our Security Skills as a Service piques your interest, get in touch today to discuss how we can help you strengthen your cybersecurity posture.

Ready or just curious?

Drop us a line and we will get back to you shortly.