Once is never enough: The need for continuous penetration testing

If you Google “How often should I do penetration testing?”, the first answer that pops up is “once a year.” Indeed, even industry-leading standards like PCI-DSS dictate that external penetration testing be conducted annually (or after significant changes to infrastructure or applications), while internal penetration testing takes place annually, with segmentation testing occurring every six months.

Yet today’s cybercriminals don’t work on annual schedules. They don’t wait until pen testing time rolls around and the vulnerabilities found are rectified. They strike fast, they strike hard, and they use advanced AI-powered and automated tools to exploit vulnerabilities many organizations don’t even know exist, let alone exist in their own networks. Gartner calls these threats “high momentum threats” and recommends that organizations at risk adopt a more streamlined approach to cybersecurity – including pen testing.

Meeting the challenges of agile cybercriminals requires a far more agile approach to pen testing. Here’s why and what can be done:

The need for faster cycles

Standards are catching up to the pace of cybercrime. According to the NIST Cyber Security Framework (CSF), organizations should be verifying that they have fixed vulnerabilities after every system update or patch deployment. Yet, in practice, this doesn’t often happen. The reason? Simple economics. Traditional pen testing is very resource-intensive and thus, costly. Skilled pen testers are in high demand and charge a lot for their services. A single pen test can easily cost tens of thousands of dollars for just a portion of the target IT environment. Few organizations have this type of budget – and certainly not the type of budget required to scale pen tests across their entire environment at the frequency required to ensure networks remain secure as new systems, users, and applications are updated or added.

The need for automation

The traditional attitude to manual pen testing is kind of like the traditional approach to driving navigation: nothing can replace the sophistication and accrued knowledge of a human. A taxi driver will always beat Google Maps, and a trained pen testing professional will find vulnerabilities and attacks that automated tests may miss, or identify responses that appear legitimate to automated software but are actually a threat.

The truth is, on a case-by-case basis, this could conceivably be true. But with off-the-shelf tools and services like RaaS (Ransomware as a Service) or MaaS (Malware as a Service) that use AI/ML capabilities to enhance attack efficiency – you’d need an army of pen testers to truly meet the challenges of today’s cyber threats. And once you’d found, trained and employed them – cyberattackers would simply increase their automation efforts and you’d need to draft another army. Not a sustainable cybersecurity model, clearly.

Similarly, the widescale adoption of agile development methodologies has translated into increasingly frequent software releases. Since environments are constantly evolving – the results of penetration tests performed on older or pre-release versions quickly become obsolete. And agile frequently relies on open-source and other ready-made pieces of code – which are highly prone to vulnerabilities.

For all these reasons, pen testing stakeholders are increasingly turning to automation, with the aim of achieving continuous security validation.

The need for continuity

Traditional pen testing methodologies – both manual and automated – deliver a snapshot of your network or application security posture. Yet as discussed above, environments are highly dynamic, making the attack surface a constant work in progress. When a new API is connected, a new server added, or a new version released – that snapshot is no longer valid, even if the next round of pen testing is a year away.

To combat this, organizations are moving to a continuous penetration testing model. Instead of just one test a year, these organizations adopt tools and methodologies that can test their environment continuously. Since threat actors target organizations continuously to discover and exploit new vulnerabilities, there’s really no alternative to adopting a more proactive approach to discovering and remediating vulnerabilities. Traditional point-in-time security assessments simply can’t keep up.

The bottom line

Cyber threats have become more agile, more scalable, and infinitely more dangerous. Traditional manual and periodic pen testing simply cannot offer organizations the security they require in order to survive. Only an automated and continuous model can secure constantly-changing networks and applications – helping the businesses that adopt them remain safe, remain compliant, and remain profitable.