Penetration Testing in a Changing World - Our Approach to Pen Test

It's a no-brainer that any company worth its weight should have sound cybersecurity measures in place. But what's equally important and often overlooked, is that those measures should be regularly tested to inform businesses of any potential threats before they happen.

Cory Wilkes - April 30, 2022
Penetration Testing in a Changing World - Our Approach to Pen Test

Type of Pen Testing

Penetration testing, also known as pen testing or ethical hacking, is a legal and authorized process used to test an organization's network, computer systems and applications for vulnerabilities. Pen tests help organizations identify weaknesses in their security posture so they can take steps to fix them before threat actors find and exploit them.

There are different types of penetration tests, including internal and external tests, black box and white box tests, and targeted and untargeted tests. Usually, the external tests are conducted by third-party security firms that simulate the actions of real-world attackers.

Are all the Pen Testing Providers the Same?

When it comes to choosing a pen testing provider, there are a few key factors to keep in mind. First and foremost, you'll want to make sure that the provider you choose has a proven track record of delivering results.

  • There's no point in working with a pentesting provider if they're not able to provide you with the meaningful security vulnerabilities you need to improve your security posture.

  • Secondly, you'll want to make sure that the provider you choose offers a comprehensive suite of penetration testing services and uses a well-rounded testing methodology for each asset type. A good security services provider will be able to offer a large spectrum of services from infrastructure penetration testing to application pen testing.

  • Finally, you'll want to make sure that the penetration testing provider you choose is transparent about their pricing and terms of service, and they are using qualified resources to find vulnerabilities, and understand how to avoid reporting false positives. By keeping these factors in mind, you can be sure that you'll find the best possible pentesting provider for your needs.

And that's where offensive security engineers come in. As they come from various backgrounds and handle niche skills set, they represent the upgraded version of current penetration testers/ethical hackers who, with the company's permission, attempt to gain access and compromise organizations' systems to probe their current security posture, and reveal any weaknesses from the basic firewall level and beyond. They are a vital part of any modern organization, and without them, unauthorized threat actors would have bypassed current security controls and access to business's digital assets.

Like most technologically influenced areas of expertise, information security is a rapidly changing field, and the truth is that the original pen testing strategies are becoming outdated. In an era where automation is on the rise and software development produces more intricate and complex applications, manual pentesting is a field of expertise that must evolve to survive.

What Are the Problems of Penetration Testing in the Modern World?

There is an intrinsic value that rigorous pentesting with a pair of human eyes brings to the table for most companies. This value is recognized by business professionals across a host of different industries, but the value they get from those human eyes on their security system, especially application security, almost always varies from one test to another. Some opt for traditional routes, using an external pen testing consultancy to probe their defenses to weed out security concerns. Others will organize a bug bounty, where the company opens up to the security researchers' world and pays bounties to anyone who uncovers security concerns on their websites. Others will employ a team of in-house security specialists to test their measures.

Each one of these has its advantages that they bring to the table, and they also have their challenges.

In this article, we're going to look at two of the main human pentesting solutions that businesses use: traditional consultancy pentesting and bug bounty pentesting; we're going to explore and outline the advantages and challenges faced by each one before going on to suggest a comprehensive solution to these challenges.

Tried and Tested - Consultancy Penetration Testing

Consultancy-based pentesting is the bread and butter of the penetration testing world. While certain companies have a dedicated team in their employ to follow a pen testing process and carry out in-depth testing, sometimes known as a 'red team' though the nature of its final scope, most businesses in the digital sphere tend to gravitate towards the traditional model of outsourcing the work to an online security consultancy.

This model sees a consultancy conduct a simulated attack and provide a comprehensive audit report on the security weaknesses they encounter. The simulated attack is carried out semi-automatically, using various testing tools. Some vendors are performing an automated vulnerability assessment (aka a bare bone security assessment) scan at the lowest tier, but this cannot be considered a genuine pen test that puts on a serious test an organization's security posture. The process of uncovering security flaws uses a diverse and specialized pen testing set of tools that goes from open source to custom scripts.

[+] Advantages

There are many advantages to sourcing out the work to a consultancy. At its most basic level, consultancy pentesting gives your security program that human touch. The testing team will use creative paths and business logic to highlight attack vectors that might be completely missed by an automated pentesting application, and your security team will see some value at the end of the engagement. Most successful compromises are carried out by human hackers rather than their automated counterparts. These hackers will use creative ways to break down your defenses and access your networks. Hiring a consultancy firm to pentest your assets mean you fight fire with fire. Most security professionals think along the same creative and inspired pathways as your potential hacking threats. In short, nothing beats the work of a human pen tester, and this was constantly seen from the web application security perspective.

Another major benefit that working with a consultancy brings is trust. Pentesting consultancies run rigorous background checks on their teams of security engineers to ensure their trustworthiness, confidentiality, and their skill levels. Working with a consultancy means you know you are well cared for since, after all, you can vet them before you work with them using reviews, recommendations, and word-of-mouth. Security consultants adhere to strict, legally binding contracts that have contractually solid confidentiality agreements, meaning you can rest assured that any security weaknesses revealed will stay between you and the consultancy. This level of trust has fueled productive relationships between businesses and security executives since the early nineties.

Finally, there is the expertise you get from outsourcing to a consultancy. It is in the best interests of every security vendor firm that they get the best ethical hackers on the market as their employees, and by extension, which is what you will receive as their client. Pentesting firms actively fill specific roles within their companies so that they can cover most elements in the broad spectrum of threats. This widespread expertise means you will get better coverage of your security system. You will be made aware of more specific, more exact, and unique findings than you would with an automated system or a bug bounty. Security Services vendors are so trusted and valued by the security community that third party pentesting is mandatory for various international standards agencies and compliance certificates, one major standard being the Payment Card Industry Data Security Standard (PCI DSS).

[-] Challenges

The biggest challenge to pentesting is the price point that traditional pentesting firms have established as status-quo. Because of the value of the expertise that consultancy pentesting brings to the table, many clients balk at the price of traditional pentesting. They will instead pursue other avenues that cost less but consequently achieve less than stellar results or provide a higher noise-to-signal benchmark.

Cohesiveness between in-house teams and the consultancy firm is another challenge faced. Friction arises when security experts and security staff in the client's employ are required to maintain regular contact with the consultancy and carry out the necessary work to address the results of the tests. This takes up resources and time that those engineers and security executives simply do not have the capacity for. Most regard it as a necessary evil but a time, resource, penetration testing tools, and money-consuming evil, nonetheless.

One of the biggest hurdles in creating a successful security program is finding people with the right qualifications and knowledge of the systems.

The next challenge is the fact that many pentesting consultancies do not go beyond providing a report of their findings. They will stop short of fulfilling the next steps. These next steps are equally important parts of the security breach mitigation procedures. These procedures include prioritization, extended analysis, security policies definition support, and resolution.

Traditional cybersecurity consultants will leave this step of the process integral to the client, who will then need to spend even more money, resources, and manpower on mitigating the risks, adjust security policies and patch detected issue. It can leave clients frustrated and less inclined to opt for consultancy-based work over freelancers or bug bounties. The immediate obvious way that consultancies can tackle this issue is by improving their post-report support, offering prioritization suggestions, and re-testing after mitigation has been attempted. Of course, this solution opens its own roster of challenges to be overcome, such as higher prices to compensate for the extra work and the fact that the consultancy may not have the capacity for the new mitigation and prioritization stages.

That brings us nicely to the final challenge, which is one of capacity. Pentesting is a highly specialized practice that requires a diverse spread of skill sets over an entire team. It can be hard to employ just a single pentester for a specialized role, never mind an entire team. As a result, there are few consultancies able to keep up with such high demand for talent. Assignments get fully booked quickly and rapidly, filling up for months or more.

This leads to problems for clients because the extended timeframe rarely matches up with the fast-changing nature of modern-day software development, which is based on iteration and constant updates. By the time the pentest results are delivered, the nature of cybersecurity threats has evolved again. It is almost like creating a vaccine for a rapidly evolving 'bug'; by the time the vaccine is tested and ready to put into place, the 'bug' has evolved again, rendering the vaccine obsolete. Until penetration testers can provide the results early or adapt effectively to the life cycle of modern software, they will always be left behind.

What About Bug Bounties?

The idea originally goes back as far as 1983 when Volkswagen promised one of their cars to anyone who could find a bug in their revolutionary new operating system. But in the last decade, bug bounties have become an ever more popular pentesting solution, where companies challenge freelance penetration testers around the world to find bugs in their security systems. The companies then pay a bounty for every bug found, either via an automated testing tools or manually. Like every pentesting technique, bounties have their advantages and challenges.

[+] Advantages

Whenever anyone in the security industry discusses bug bounties and why they use them, inevitably, the first thing that comes up is the cost. Bug bounties are seen as a cheap alternative to traditional pentesting because, essentially, you only pay for the security threats found rather than paying for a contracted length of time. If a bug bounty returns no added value in findings, you pay no bounties, and you will have had your security measures probed by a wide range of security researchers. If a bug bounty does return a security issue, then you will pay a one-off fee which, chances are, will be less than you would have paid for the contracted services of a consultancy. You pay per result, which remains an attractive choice for many businesses.

There is also the handy practicality of bug bounties. As a pentesting solution, countless internal teams within client businesses find it much easier to deal with posting and updating bug bounties and responding to reported gaps than maintaining a contract with a consultancy. As a rule, you can initiate a bug bounty program quickly and easily, either independently or through vendors, and open your code to a security researchers pool with a range of expertise. You can ALSO modify the requirements swiftly - a helpful thing to be able to do when considering the rapidly changing nature of software development that we mentioned earlier. All this can be done without setting up meetings, discussing invoices, and maintaining constant and resource-draining communications.

[-] Challenges

Going down the bug bounty route of pentesting does have its challenges, of course - namely, that the lack of a contract means that you are opening your code to hundreds, potentially thousands, of security researchers. Those numbers and the fact that the researchers are under no obligation to share with you the details of tools and techniques, or if a penetration testing execution standard was followed while testing the target system, means that the amount of data you can get from their reports is minimal. There could be important missing data points and insights that you would get from any decent consultancy pentesting report. Because you will not know their expertise levels, there's a lot that could fly under the radar that you may never know about.

While we covered that bug bounties can be more practical, there is another, more complicated half to the story. Bug bounties can result in numerous breaches being reported, which will all need dedicated teams to scour through for their validity. This requires communication lines being set up with individual researchers, which brings its problems of responsiveness and availability. Those breaches that come up positive will then need to be remedied and mitigated, which requires the cooperation of the researcher and more resources being set aside to complete the work. In short, bug bounties take up a lot of time and patience in their management and their application to your business model.

Then, of course, there is the challenge of creating the bug bounty in the first place. You will need to create one that hits the perfect balance between being cost-effective and wide-ranging, while also offering fair and attractive terms for the security researcher community. It must be a bounty that is adaptable and must keep potential testers interested in the long term. One of the problems with bug bounties is that many companies use them, including big names like Google, PayPal, and even the US Government. These big names have a lot of resources, meaning your bug bounty will be competing for the time of security researchers against companies that can put a lot more financial weight behind each bounty. Smaller businesses need to keep on their toes to keep researchers interested.

The Best of Both Worlds - Penetration Testing as a Service

As outlined above, neither traditional pen testing solutions nor bug bounties are perfect methods of testing your current organization posture. While both bring unique benefits, they also get bogged down by practical, financial, and functional problems that neither can fix.

This is where Penetration Testing as a Service comes in. Penetration Testing as a Service combines a SaaS platform with an invite only global network of offensive security engineers, allowing businesses to maximize their security programs output by focusing on assessing gaps and fixing pivotal vulnerabilities. To put it in a simpler way, it is pen testing on demand but with the right ingredients, like assets discovery, continuous on demand scanning, and other similar modules.

[+] Advantages

The benefits are innumerable. You get all the expertise, customer care, trustworthiness, vetted researchers, and the professionalism and trust of consultancy pentesting with the flexibility, the ease-of-use, and the cost-effectiveness of bug bounties. And all of this is collated into a handy pentesting management and collaborative platform. Best of all, this fast reacting to security concerns means you will be able to address issues as soon as they appear, thanks to rapid-fire testing, descriptive exploits, and mitigation expertise, whether you are testing a web application or your infrastructure.

And at Syn Cubes, that is why we focus our pentesting approach around the Penetration Testing as a Service model. We know that the problems of pentesting are not on the client's side of the house. They are on the service providers' side, and we are working hard to make our pentesting service one of the best and most customer-focused around with hacking techniques inspired from real-world attacks.

Given the current challenging global environment, Penetration Testing as a Service model is uniquely positioned, and we want to build on our past successes to make the process of offensive security testing as efficient for our clients as we can.

If our Penetration Testing as a Service piques your interest, get in touch today to discuss how we can help you strengthen your cybersecurity posture.

Be the adversary - attack first