The ‘as-a-service’ model is booming – and for good reason, writes Thomas Stacey, Application Security Auditor at the cyber and threat intelligence company Outpost24.
One such reason, implicit in its name, is a degree of automation and cloud nativity. Naturally, as both prove desirable traits for a sturdy AppSec programme, the as-a-service model has proved effective when it comes to revolutionising traditional application security, like pen testing. Pen testing-as-a-service (PTaaS) signals a shift in the future of AppSec security, mixing human capability and automation. But what is PTaaS and how does it differ from traditional vulnerability scanning?
PTaaS is the delivery of instant manual pen testing and continuous security monitoring. It combines a human approach to threat hunting and remediation with automated intelligence and scanning, covering all bases and providing additional layers of protection when it comes to securing a web app. However, neither human nor machine is right 100% of the time. Humans can pick up vulnerabilities that automated scanning can’t, like those found in broken access controls. For business leaders, the ‘as-a-service’ approach provides ease because it can be tapped into at any time, on-demand, banishing the need for a ‘cat and mouse’ style approach to web app security.
Benefit one: large and varied pool of testers
Having one tester assigned to a system over a prolonged period can cause a certain amount of complacency. Whilst there’s certainly merit in having a single tester assigned to one account who really knows the system at play, businesses can benefit from the multiple perspectives a larger roster of testers can give.
As every system is unique, so is every tester. Each pen tester has their own unique skillset that allows them to test a system and discover things that perhaps others haven’t. This also boosts creativity for pen testers and keeps them engaged.
Benefit two: compliance
Many people use pen testing services for compliance reasons. However, with traditional pen testing there’s often a delay between a report being finished, developer remediation and new web app additions that require additional testing. With this lag looms the threat of not being able to keep up with modern development cycles, despite remaining ‘compliant’ on paper. PTaaS, on the other hand, takes a much faster approach to remediation by allowing pen testers to report and test vulnerabilities in real-time.
Benefit three: remediation validation
When it comes to traditional pen testing, developers and business leaders are often presented with a static PDF report at the end of the test cycle. After receiving this report, developers are able to make changes to address the reported issues, whilst progressing the wider development. However, even if those changes are made relatively quickly, it might take months before a new test and subsequent report can be generated to verify the success of the changes. Which brings us back to the aforementioned ‘cat and mouse’ testing.
The ‘as-a-service’ model of pen testing requires rapid reporting. This instant reporting allows developers to integrate their remediation process with the testers in real time. Remediation and pen testing work side by side so testers can actively confirm whether an implemented fix is working.
Benefit four: creative testing
We know that a lot of pen testing is checklist driven. As stated above, many organisations opt for pen testing for compliance reasons which literally makes it a tick box exercise. Even though the most robust cybersecurity postures will never be wholly checklist driven, checklists allow for consistency and compliance, both of which are top of mind for decision makers. They are required to guarantee full coverage of the application’s features, as well as any vulnerabilities that may affect each feature.
The frustration with traditional pen testers can often be that there’s too much focus on checkbox ticking, rather than delving into aspects of the list that look to be critically significant to the application on hand. What PTaaS does is present pen testers with new challenges, encouraging creativity. These explorations are context-dependent and unique to each application. Pen testers, in this way, are encouraged to creatively look at different aspects of an app deemed critical and discover vulnerabilities with the highest potential impact on an application.
Benefit five: Communication – the human approach
Perhaps the biggest benefit of the PTaaS model is that it offers a human approach to cybersecurity. As opposed to being severed from the customer, pen testers involved in the as-a-service model are always on-hand when questions arise. This direct line of communication between developers and pen testers allows both parties to actively discuss vulnerabilities and deployed fixes. This creates a synergetic approach to remediation where the developer’s initial fixes are re-tested swiftly to ensure robustness. This approach relies on and enhances one another’s strengths.
Benefit six: visibility
Similar to above, a lack of visibility during the pen testing process can sometimes scare both developers and business leaders. Oftentimes it is only when a report is produced and presented to the team that developers can see issues raised during the test. With the real-time reporting that PTaaS creates comes control over visibility. This means that developers can view and interact with reported findings and instantly see any issues that have arisen, which also helps when it comes to prioritising remediation.
Pentesting as a service
Generally, the as-a-service model allows for greater flexibility and control over cybersecurity solutions. Specifically, when it comes to PTaaS, businesses are actively prioitising high risk areas of web apps and remediating in real time. In many ways, this approach to web app security is a rejection of cybersecurity as a mere compliance or tick-box exercise. PTaaS opens a crucial line of dialogue between tester and developer that allows for real time remediation, which can be endlessly valuable for both end-users and boards.
Crucially, PTaaS is about the blending of most up-to-date automated intelligence with real human capabilities to bolster security and forge connections in real time.
