2019 has been an interesting year for cybersecurity.
In some respects, not much has changed. There were still a ton of breaches. Hundreds of millions of customer records were compromised. And a handful of big-name brands made headlines for all the wrong reasons.
But it wasn’t all bad news.
In amongst countless phishing attacks, new malware variants, and vulnerability exploits, one huge positive came out of 2019. Organizations of all sizes and across all industries have come to recognize the vital role cybersecurity plays in business operations.
With executive boards, stakeholders, and even customers starting to ask hard questions about how their data, money, and assets are being kept safe, it’s clear that 2020 will be a year of further maturation for cybersecurity programs.
And of course, pentesting will be no exception.
What’s Driving Changes in Pentesting?
The days of traditional pentesting are coming to an end. The old model is no longer fit for purpose, and the way organizations consume pentesting has been evolving for some time.
And while there are plenty of contributing factors, two major trends in the technology landscape are already having a profound effect:
The proliferation of applications coming online via the cloud, APIs, and mobile.
Applications are more complex, change more frequently, and incorporate more business logic.
Why do these trends affect pentesting? Because as applications become more connected and complex, they also become easier targets for cybercriminals. To counteract this, the way applications are security tested will need to fundamentally change.
With that in mind, here are the three pentesting trends we believe will play a huge role in 2020.
Prediction #1: Goodbye PDFs, Hello Pentest Platforms
Let’s be honest, PDF reports from pentests were never a good thing. They aren’t developer-friendly. They don’t scale. And worst of all, the quality of many pentest PDF reports leaves a lot to be desired. That’s why in 2020, we believe there will be a wholesale shift towards pentest platforms.
Where PDFs provide a static issue report that quickly becomes outdated, pentest platforms support the full find-to-fix workflow. They include a clear vulnerability report and risk score for each identified issue, making it easy for security teams to track and prioritize their remediation efforts.
Taking things a stage further, pentest platforms can integrate with tracking systems and vulnerability scanners. This further improves the find-to-fix workflow, and helps pentesting fit more easily into an organization’s wider security program.
At the same time, we believe platforms can empower organizations to manage their pentest programs in the same way CRM systems are used to manage customers. It’s simply much easier to track and control a pentest program when it provides clear reporting and makes it easy to assign and schedule workloads.
And if you’re wondering, “what do you mean by pentest programs?”… we’re glad you asked.
Prediction #2: Pentests Will Be Fast, Frequent, and Highly Focused
Historically, pentests have been large, expensive, and relatively infrequent. A typical engagement lasts at least two weeks, and could easily cost tens of thousands of dollars.
But with the proliferation of complex, Internet-facing applications — and the drive for faster development cycles — we see this changing. Instead of large, infrequent pentests, we expect to see organizations demanding smaller, faster, and more frequent tests.
We call these ‘pentest sprints’; breaking up pentesting activities to better fit with the development lifecycle. By conducting a series of smaller pentests throughout the app development process — and engaging pentesters with specialized skillsets to identify issues with individual application components — organizations can drastically improve app security while continuing to meet all compliance requirements.
In the past, transaction cost has been a huge barrier to this approach. Suppliers needed to schedule, manage, execute, and report on a pentest, and it was logistically much simpler to arrange all that if pentests were large and infrequent. But this approach just doesn’t meet the needs of a modern organization.
With a pentest platform, pentesting can easily be broken up into smaller pieces. Transaction costs are reduced, and the logistics of arranging smaller, more frequent tests become much easier to manage. This is what makes the notion of a ‘pentest program’ far more achievable.
Prediction #3: Pentest Analytics will Become a Thing
However you slice it, pentests are costly and time-intensive. As organizations are becoming increasingly security-focused, we expect to see them demanding more in-depth analytics from vendors.
Historically, this simply hasn’t been available from pentest vendors. As a result, determining the ROI of a pentesting engagement has been close to impossible.
But this doesn’t gel with modern, business-focused cybersecurity functions. Both security and procurement teams have an expectation that services purchased will provide a clear and measurable ROI, along with the quality and results data to back it up.
In simple terms, pentest analytics fall into two categories:
Pentest Program Metrics: like application coverage, pentest frequency, and average time-to-fix.
Pentest Engagement Metrics: like the number of issues found, vulnerability types, and risk scores.
An effective pentest program is critical to the ongoing security of an organization’s application portfolio. By combining both categories, organizations can build an accurate picture of how effective their pentest programs are, and what ROI is being realized.
For this reason, we expect to see comprehensive analytics becoming a core requirement of pentest solutions in 2020.
Moving Beyond Compliance
Let’s be honest. The original reason why so many organizations started to invest in pentesting is that it was (and still is) a requirement of major compliance frameworks like PCI-DSS.
But that’s not the main driver anymore. And it hasn’t been for a while.
For years now, organizations across all industries and locations have understood that properly securing applications is fundamental to their ability to operate. And ensuring the ongoing security of applications requires effective, consistent pentesting.
The predictions we’ve made here are simply a recognition that the cybersecurity field has come of age. Organizations now expect cybersecurity vendors to provide professional, business-focused solutions, just like they’d expect from any other B2B technology vendor.
And in the coming months, that’s exactly what they’ll engage with.