PTaaS is the new approach to saving time and money on required security testing.
By Seemant Sehgal, CEO and Founder, BreachLock
For most organizations, the expansion of their digital footprint has continued over the last two decades. This was further amplified by the Covid-19 pandemic, as organizations had to shift to remote work quickly. Hybrid work environments and digital-only business processes have introduced new security risks. CISOs are now expected to transition from technologists to corporate leaders responsible for managing cybersecurity risks.
According to IBM’s Cost of Data Breach Report 2022, the average global cost of a data breach has risen to an astounding $4.35 million; in the U.S., that number doubles over to whopping $9.44 million. Additional findings revealed that cost increased even more – by $1.07 million – in cases where an organization adopted remote work.
The reason for these issues is in part due to the way organizations are managing their external attack surfaces. The modern CISO lacks visibility into their expanding external attack surfaces – with disparate teams, especially Cloud Engineering and AppSec teams, launching devices and cloud instances on the company network, while not informing the Security Operations Center.
The phenomena of “Shadow IT” has left CISOs in the dark on these critical exposures, as the SOC is unable to monitor unknown assets in order to keep the organization’s perimeter, endpoints, and critical systems secured.
The Security Testing Landscape Is Changing
To combat the cybersecurity threats and risks that are constantly evolving, it’s important for organizations to stay ahead of potential attacks by regularly conducting security testing on systems and remediating exposed vulnerabilities. However, legacy solutions to improve security testing, especially in the CI/CD pipeline, have not been adequate to prevent known vulnerabilities from being pushed into production.
The reality is that today’s CISO security testing is not enough. By using experienced Pentesters enabled with advanced technology and tools for security testing in the CI/CD pipeline, an organization can accelerate turnaround time and improve security outcomes – and evolve traditional security testing once and for all. To truly take advantage of the latest advancements and accelerate third party penetration testing is with a new service called Pen Testing as a Service.
What is Penetration Testing as a Service (PTaaS)?
Just like a regular penetration test, PTaaS involves simulating attacks on an organization’s systems to uncover the view of your adversary. The phases are typical of the traditional pentesting engagement. In the initial discovery phase, a list of critical risks, vulnerabilities, and weaknesses are revealed. Typically, some of these are critical to remediate ASAP.
Like traditional penetration testing, Pen Testing as a Service provides routine simulated cyber-attacks on an organization’s systems to test their security maturity and controls to identify weaknesses that could be exploited by a cybercriminal. However, PTaaS is the next generation evolution from legacy approaches by enabling in-house DevOps engineers early in the pentesting exercise.
PTaaS still conducts security testing as a moment in time. Beyond the scope of the security test report, PTaaS continues to offer capabilities that gives the customers’ in-house teams the ability to continue to test infrastructure – when traditionally they had to rely upon human pen testers and proprietary tools. Today’s PTaaS can be applied to a wide array of use cases for security testing, including CI/CD security testing.
Benefits of Transitioning to PTaaS
There are numerous benefits that can benefit the organization and the security program when looking to migrate security testing and pentesting to a PTaaS provider.
- Saves Costs: Reduces Total Cost of Ownership (TCO) with embedded security capabilities that can be removed and/or reduced elsewhere.
- Saves Time: Accelerates security outcomes with integrated remediation guidance to meet pentesting requirements faster.
- Accuracy: Provides accurate results with certified penetration testers using the same industry methodology, standards, tools, and best practices.
- Compliance: Validates compliance requirements for third party penetration testing and vulnerability scanning with certified reports and artifacts.
- Visibility: Reveals the adversary’s perspective to see attack surface exposures, critical vulnerabilities, and attack paths.
- Flexible: Scales as needed to conduct expert-led pentesting and end the penetration testing backlog without hiring additional resources.
- Agile: Enables Agility for DevSecOps teams with API workflow integrations to initiate ticketing triage of newly discovered vulnerabilities.
- Continuous: Supports continuous security testing, monitoring, scanning, and retesting throughout the remainder of the PTaaS subscription.
Selecting a PTaaS provider
As with any new security solution, it’s important to understand how to select the true industry leaders from the copy-cat solutions.
The leading PTaaS providers have engineered their service delivery to accelerate pentest delivery. With the right PTaaS vendor, these innovations will include a cloud platform engineered with automation and AI tools to enable in-house human pen testers and clients at the same time. This is where the right PTaaS provider can increase the efficiency and effectiveness of routine security testing results.
Below are eight questions you can use to screen PTaaS provider to ensure you are getting the maximum value from your PTaaS investment. By asking these questions, you can ensure you are partnering with a reliable penetration testing service provider for your business.
1. What qualifications does the company have?
Certifications are an important mark of credibility for service providers, as they demonstrate that a provider is committed to following industry-standard practices. A good place to start when looking for a reputable and qualified penetration testing service provider is to see if they are CREST (The Council for Registered Ethical Security Testers) certified. Being compliant with multiple international laws and regulations is critical to the integrity of the final report. You can request verification of your provider’s formal credentials, such as ISO/IEC 27001:2013, PCI DSS, and compliance with the HIPAA and GDPR.
Leaders in the Pen Testing as a Service category will also have been recognized by analyst firms such as Gartner Research, Forrester, and IDC. Seek out these recognitions and citations for pen testing as a service and DevSecOps security testing to understand the pioneers and leaders who are driving the category for maximized customer success.
2. What is the penetration testing methodology used in PTaaS?
This question is to confirm the PTaaS vendor’s preferred frameworks, methodologies, and strategies. Since your organization has a unique infrastructure, with people, technologies, objectives, and challenges, there is no one size fits all approaches here.
The right PTaaS provider will assign a dedicated expert to facilitate the engagement. This contact explains all the methodologies available and helps you figure out the appropriate plan for your organization. When planning a penetration test for your organization, the Penetration Testing Execution Standard (PTES) is a good place to start.
3. What is included in the penetration testing report?
A penetration testing report helps you understand the vulnerabilities of your technical infrastructure. A well-documented report can act as a good reference for your internal team even after the test is completed, to plan their operations. One way to ensure you are getting the right provider is to request that a service provider shows you one of their reports from a previous project or their sample report.
The standard elements of any compliant penetration test report will include:
- Executive Summary
- Vulnerability Overview
- Vulnerability Details
- Risk Score (such as CVSS)
- Action Plan for Remediation
4. How is cyber security managed in the company?
A penetration test probes for weak points in your company’s IT defenses. These defenses, if successfully exploited, could have costly consequences for your business’ bottom line. All this data stays with the service provider even after the penetration test is done. Therefore, take the time to inquire about how they will keep your information secure after the engagement is over, and what steps they take to maintain an elevated level of security for their customers.
5. Does your penetration testing service include remediation?
We have seen many organizations hire penetration testing services, but often they only end up getting a basic vulnerability scan instead of an in-depth penetration test. Some penetration testing service providers believe in long-term relationships and offer comprehensive remediation services, while others only conduct the initial penetration test, leaving DevSecOps to perform remediation in a silo. As a decision maker for your business, an ideal choice is the PTaaS provider that integrates DevOps guidance into the service as a means to build a long-term relationship that streamlines remediation activities and supports continuous security testing.
6. Is your penetration testing service automated or manual?
Automated tools are useful for a penetration test, but they have their own set of limitations. They might miss important and high-risk vulnerabilities that can only be found with manual testing by qualified personnel. In general, at least 80% of total testing activities should be manual while the remaining is tool-based.
A qualified PTaaS provider today uses the next generation technology, like AI and advanced automation, to create a strong complement to the human penetration tester leading each exercise. Always evolving, this practical application allows customers to tap into the PTaaS providers advanced technology without the excessive costs to own each technology in-house. This is how a qualified PTaaS provider can truly offer a reduction in TCO for security leaders who need to prudently use resources and technology for the highest return on investment and maximized security outcomes.
7. Who would be conducting a penetration test and what are their qualifications?
When selecting the PTaaS provider, you’ll want a partner that adheres to your compliance and security requirements, as the security testers they bring in will gain access to systems and sensitive data. It’s crucial that the security testing personnel come from a good background. Therefore, you’ll want to interview your potential service providers to get an understanding of the testing team’s qualifications, background checks, and past work experience.
It is common for organizations to miss this step and hire someone who is lying about their credentials, or worse, has been convicted of data theft. This is why many CTOs and CIOs prefer to work exclusively with PTaaS providers that feature in-house penetration and security testers, versus freelancing hackers and contracted bug bounty hunters. It is extremely difficult to 100% guarantee background checks of crowdsourced staffing, contractors, and bug bounty hunters available for hire in pentesting marketplace today.
8. Will my services remain available during a penetration test?
For any service provider, it is not practically feasible to guarantee the availability of services during a test. It’s essential to test systems to find security gaps in the technical infrastructure. However, when working with the right PTaaS provider, your dedicated contact will regularly communicate often about any potential service disruptions as much as possible to minimize downtime. Furthermore, customer controls, such as a real-time ‘kill switch’ and customer support can ensure risks are fully managed and workloads are not impacted during the penetration testing engagement.
Accelerate Pentesting Now with the Proven Leader in PTaaS
Beyond security testing for shift left security, BreachLock’s in-house, certified penetration testers conduct full-stack penetration tests with AI-enabled automation to save you time and money compared to legacy pentesting. BreachLock’s award-winning, analyst recognized solution includes a cloud-native penetration testing platform that cuts traditional penetration testing turnaround time and costs by 50%. To see how BreachLock’s AI-enabled, human-led security testing works using the PTaaS platform and next generation technology to secure your environment, contact BreachLock today.