Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

<
Back to Main

A Programmatic Approach to Pentesting

Ray Espinoza
Jul 8, 2020

Traditional penetration tests have been a staple of cybersecurity programs for decades. They’ve helped organizations all over the world identify common issues that could otherwise have led to serious incidents.

But in recent years, development and release cycles have sped up dramatically, with new applications, software updates, and configurations added all the time. Where annual ‘point-in-time’ assessments once made sense, they now leave assets potentially vulnerable for most of the year.

And that’s not the only problem:

  • Penetration testing vendors are often booked up months in advance, so customers can rarely get the testing they need at the time they need it.

  • Testers are chosen based on availability, and often won’t have domain-specific expertise in the assets being tested for a specific engagement.

  • Checklist-based testing and limited time engagements make it difficult for testers to uncover deeper issues and vulnerabilities.

In the modern world, traditional penetration tests simply don’t do a good job of managing cyber risk. A fresh approach is needed.

Introducing the Pentest Program

A pentest program is a planned series of pentests designed to systematically identify and resolve vulnerabilities in one or more assets or asset groups.

Pentest programs usually run on an annual, renewable cycle, with tests completed regularly throughout the period. For example, critical assets might be tested monthly, while less critical asset groups might be tested quarterly or bi-annually.

Organizations choose pentest programs in place of ad-hoc testing for two main reasons:

  1. To ensure the ongoing security of critical and frequently updated assets through continual testing.

  2. To significantly increase the chances of quickly identifying and resolving high-risk vulnerabilities.

How Does a Pentest Program Work?

While pentest programs vary significantly depending on the needs of the organization, the basic process is very simple:

  1. The security team plans and scopes a test.

  2. Pentesters complete their testing while maintaining communication with the customer.

  3. Vulnerabilities are severity-rated and sent to engineering for remediation.

  4. Pentesters complete further testing to ensure fixes have addressed each vulnerability.

This process is repeated at the necessary cadence to ensure the ongoing security of digital assets.

For a variety of reasons, pentest programs don’t fit well with traditional security testing delivery models. For one, traditional penetration testing vendors rarely have the capacity or availability to provide consistent testing throughout the year. Meanwhile, hackers available through modern bug bounty programs often don’t have the tools, skills, or infrastructure needed to provide a comprehensive penetration test.

Instead, pentest programs usually work best with the emerging Pentest as a Service (PtaaS) delivery model.

How PtaaS Enables More Consistent Testing

PtaaS uses a platform-driven approach and draws from a global pool of vetted and verified pentesters with varying backgrounds and skill sets. For each project, the testing team is selected to ensure the right mix of skills and experience, making PtaaS more focused than other security testing models.

This approach has a variety of benefits:

  • The platform-driven approach allows for easy communication between testers and developers.

  • Pentesters will always have the domain-specific expertise needed to ensure higher frequency testing and greater coverage.

  • Testing can be scheduled promptly, and vulnerability reports are provided within the platform immediately.

  • Vulnerabilities are validated and severity-rated before submission to cut out false positives.

PtaaS gels particularly well with pentest programs because it enables continuous interaction between the security team, the testing team, and developers — both during and between engagements.

How To Build a Comprehensive Pentest Program

There are plenty of things to consider when building your first pentest program. As a starting point, you must decide what your objectives are, how to scope each engagement, and how frequently to test.

To guide you through this process, we’ve created A Comprehensive Guide to Building a Pentest Program.

Download the guide today to learn:

  • What (exactly) a pentest program is, and how it compares to other common security testing delivery models.

  • Why you might choose a programmatic approach to security testing, and the benefits it has over one-off penetration tests.

  • How to build a pentest program, starting from setting objectives and working all the way through to tweaking your program between engagements.

  • The difference between grey box and black box testing, and which Cobalt recommends for most organizations.

  • Who to involve in your pentest program, and how to gain support from your executive team.

  • How we run our own pentest program to ensure we keep Cobalt assets secure, plus lessons we’ve learned from our program in the last year.

  • Why a pentest program is the ideal way to incrementally improve security at your organization.

Download the free guide to learn more.