Unmasking the limitations of yearly penetration tests

In this Help Net Security interview, Charles d’Hondt, Head of Operations, Ambionics Security, talks about the necessity of implementing continuous penetration testing because yearly ones are not enough. They leave blind spots and cannot match the security needs of regular releases and the evolving threat landscape.

To surpass this, security and development teams must communicate better, integrate clear details on vulnerability reproduction and recommendations in their security issue reports, and provide developers with time and training to tackle security issues and improve their knowledge.

Many organizations have been accustomed to annual penetration tests. What would you tell them about the ‘blind spots’ they might be living in?

Yearly penetration tests have shown to be efficient at finding vulnerabilities, yet they lack the ability to match the security need of regular releases and the evolving threat landscape.

Waiting up to a year to conduct a security test will leave organization in the dark regarding vulnerabilities introduced by new code releases or publicly disclosed one.

New vulnerabilities on known technologies arise on a daily basis and need to be checked against an organization attack surface in real time with offensive capability.

Speed is a paramount factor between threat actors and security team to address those vulnerabilities and having the capacity to immediately check a new vulnerability against an attack surface can be game-changing.

How web applications are being built has evolved drastically over the last ten-plus years. The iterative methodologies, such as scrum and agile, the evolution of architecture, the popularity of microservices, and cloud adoption have led to frequent code releases, infrastructure modification, and constant iteration of services.

These can be as many weaknesses if not vetted properly at each iteration.

A small change in a cloud IAM ACL upon the deployment of a new service can be devastating to every linked service and waiting months for the next pentest to detect the new vulnerability is very much problematic.

Annual penetration tests is still the default practice in most companies and has been for the last decade.

New updated practices should be introduced, including continuous application and infrastructure penetration tests.

Developers sometimes view continuous penetration testing as a barrier. Why do you think this is, and how can it be addressed?

Developers may have a negative vision of continuous penetration testing if it is perceived as a time and resource constraint or a lack of communication between security and development teams.

Constant new security issues may lead developers to divert their attention and, particularly in short, agile development cycles, can be seen as a hindrance and slowing down the process.

Furthermore, security may not be perceived as important as new features and relegated, which does not allow for the needed resources to tackle security issues, such as time or training.

Continuous penetration testing can also mean different things in the security industry and should not be confused with automated scanners, which can produce overly verbose and filled with false-positives reports leading to much frustration for developers.

Those issues can be addressed through various means:

• better integration in the reporting of security issues with clear details on vulnerability reproduction and recommendation
• an established, easy-to-use, communication channel between developers and pentesters
• resources, such as time and training, allocated to developers to tackle security issues and improve their security knowledge

In terms of multi-test compliance requirements, such as PCI, how does continuous penetration testing streamline this process?

Continuous penetration testing has many advantages regarding compliance requirement. For example, PCI DSS requires a pentest every 12 months or “After any significant infrastructure or application upgrade or change”, continuous penetration testing will be compliant to that regard and be cost-effective on multiple application change over the course of a year.

Furthermore, PCI DSS requires ASV scans every three months and many Pentesting as a Service Platform (PaaST) will have options to manage those type of scans in addition to continuous penetration testing.

Can you provide an example where continuous pentesting helped a company identify vulnerabilities stemming from rapid changes in cloud and DevOps environments?

We had the case of a company which had a fast-paced DevOps cycle, upon the release of a new version of their web application, automatic tools raised an alert regarding a change on the asset.

This triggered a manual qualification of the alert and a pentest, a change of configuration allowed new routes to be exposed which led to command execution and the full takeover of the server.

In a few hours, a real-time alert was issued to the client.

With the ability to adjust test results and priorities, how do companies ensure that their continuous pentesting reports remain relevant to current threats?

Real-time reporting through a dynamic portal and easy to use channel of communication between the security and development technical teams allow a company to adjust its needs regarding vulnerability remediation, risk-assessment and prioritization.

Continuous penetration testing vendors usually provide weekly recheck of all vulnerabilities which gives an up to date risk assessment of the attack surface.

Given the fast-paced evolution of cyber threats, where do you see the future of continuous penetration testing heading?

Continuous penetration testing is an evolution in itself regarding current practices in some organization and should be more widely adopted.

I believe that the future of continuous penetration testing resides in two major evolutions.

The first one, in it’s ability to provide a complete integration to an organization tools and processes in order to streamline real-time reporting and communication.

The second evolution will be in it’s ability to synchronize and integrate to external attack surface management (EASM) and cyber threat intelligence (CTI) solutions to provide an exhaustive and complete protection.

An EASM solution will be able to feed an exhaustive list of assets of an organization to be monitored through continuous penetration testing. The goal is to provide the customer an updated and exhaustive picture of its attack surface usable by an attacker (shadow IT in particular).

And a CTI solution will provide various leaks, some of which can be used through continuous penetration testing to have a complete assessment of the risk posed by the CTI alert.

For example, darknet forum leaks of secrets on specific organization can be obtained and exploited on monitored assets. Which will lead to a real-time alert with a full risk-assessment.