3 PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.
3 PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.

Pentest as a Service (PtaaS) Impact Report 2020

Businesses are expanding pentesting scope and frequency

The DevOps market size is expected to reach $12.85 billion by 2025, according to a new study by Grand View Research, Inc. It’s no wonder that every application security leader has faced the same challenge in the last few years: How will we adapt application security measures to meet the quickly evolving needs of the modern software development environment?

With this backdrop, Pentest as a Service Impact Report: 2020 is a new study that aims to unravel and understand the specific benefits and challenges of deploying a PtaaS solution in a modern software development environment, as well as compare the SaaS model with traditional, legacy pentest services.

What is the impact of DevOps on application security?

DevOps is changing the scope, cadence, and implementation of application security measures. Application security continues to rise as a top priority for companies. While infosec teams have historically managed application security responsibilities, today’s DevOps-oriented companies divide these responsibilities between development and security. Traditional application security measures are proving too clunky to remain operationally useful.

The proliferation of software presents unique challenges to application security testing. Automated vulnerability scanners, consultancies, bug bounty programs, and crowdsourced pentesting must all adapt to modern software development practices. The metrics for measuring the efficacy of application security testing has subsequently shifted to include:

  • Communication between security and development

  • Operational efficiency and enhanced collaboration

  • Agile testing that covers cloud, APIs, and microservices

  • Transparent documentation and actionable results

As the speed of software deployment hastens, so must application security measures.

Overview of PtaaS Impact Report: 2020

In 2017, I partnered with Cobalt to investigate the return on investment for pentesting. I specifically wanted to research the associated costs and benefits of the emerging Pentest as a Service (PtaaS) model compared to traditional pentesting. In my original study, I interviewed several organizations using PtaaS and found that the ROI of a PtaaS engagement was 96% higher than traditional pentesting. This was largely due to increased accuracy, lower prices, and improved efficiency.

As more companies implement DevOps practices, I wanted to understand the impact of DevOps on the adoption of application security measures such as pentesting. More specifically, I wanted to evaluate the benefits and challenges of deploying a PtaaS solution in a modern software development environment.

For this 2020 study, I conducted in-depth interviews with companies using a PtaaS solution about their application security measures and DevOps practices. Four of the five companies I interviewed practice DevOps extensively, while the fifth expressed a strong desire to move in that direction. Here are my top 4 takeaways from this research, which you can read in full here.

impactReport_1-2
Key takeaways from the report.

Key Takeaway #1: Application security is a top priority for companies

We’ve observed a noticeable difference in pentesting motivations over the last three years. Security is now the top driver for pentesting, compared to compliance-driven requirements in 2017. Although compliance and customer demand continues to influence pentesting, all of the companies we interviewed cited top-down mandates to secure their applications and services. Heightened security awareness among executives has further increased the expectation to improve breach resiliency.

Key Takeaway #2: Companies are expanding pentesting scopes and frequency

Every company we interviewed has a policy to pentest 100% of their applications on an annual basis. Additionally, some companies are pentesting business-critical applications more frequently — from biannually to quarterly. This is distinctly different from 2017, when companies were primarily testing their most business-critical applications.

The scope of pentesting is also expanding to cover APIs, microservices, and enterprise applications. In 2017, few of the organizations we interviewed were testing APIs and instead were predominantly focused on web applications. The evolution of DevOps has fueled the proliferation of APIs, and some companies have even adopted API-first development models.

As a result, companies need access to a larger testing pool that offers a breadth of technical knowledge and a variety of talent. Since a PtaaS service is cloud-based and not physically constrained to local pentesters, it provides access to a larger and more diverse talent pool that meets the skill and knowledge requirements of DevOps-oriented companies. As the head of application security for one software management company explained, “We want fresh perspectives, but they should come from someone who understands how this type of application works.”

Key Takeaway #3: PtaaS enables more agile testing and closer collaboration between security and development teams

As more companies become DevOps oriented, the demand for rapid and agile pentesting has increased. Many of the companies we interviewed develop and deploy cloud applications across different cloud infrastructures, subsequently eradicating the need for onsite testing. Through leveraging prior results from its SaaS platform, PtaaS enables easy onboarding of new tests and is location agnostic, allowing horizontally-scalable testing. Since results are delivered in real-time through the platform, triage and remediation efforts can be conducted in parallel to the pentest. Updates are saved and reflected in the PtaaS platform, thereby enhancing operational efficiency.

The companies we interviewed identified a lower communication overhead between security and development through using a PtaaS platform. Development teams can engage directly with testers throughout the test, leading to faster remediation. PtaaS enhances operational efficiency through automating manual tasks such as opening a ticket and verifying a fix. Continuous interaction on the platform and integration with toolchains, such as Jira, improve workflow efficiency. Ongoing visibility into test results also reduces friction between security and engineering.

Key Takeaway #4: PtaaS has a lower overhead than professional service-based pentesting

All of our interviewees stated that when compared with traditional manual testing, Cobalt’s PtaaS model yielded more high-fidelity test findings, resulting in fewer false positives and more impactful outcomes. A PtaaS platform provides real-time results with detailed information about the nature of the tests and context, making triaging and validation more efficient. This transparency, compared to the limited visibility of traditional pentesting, facilitates deeper test coverage. Users can even course correct if coverage becomes a concern. In short, the PtaaS platform offers considerable strengths in its documentation of test scopes, parameters, and context, leading to faster and more actionable results.

Conclusion

DevOps’ accelerating momentum favors application security measures that facilitate communication, transparency, and collaboration. When compared to traditional pentesting, PtaaS has nimbly adapted to meet these challenges through:

  • A large, remote talent pool with a wider range of skills and knowledge

  • Easy onboarding through a centralized platform, enabling agile and horizontally-scalable testing

  • Higher-fidelity results that are updated in real-time

  • Frictionless communication among pentesters, security practitioners, and developers

These conclusions are based on in-depth interviews with organizations that are using PtaaS. The companies I interviewed are primarily SaaS and enterprise software providers ranging from publicly-held companies with thousands of employees to privately-held, mid-sized companies with hundreds of employees.

What does this mean for your organization? Consider conducting your own analysis to compare different application security options and determine the right model to meet your modern software environment.

With PtaaS increasing in popularity, pentesting can better align with the pace of your organization while increasing efficiency, decreasing costs, and making your organization more secure.

*For more information, download the Pentest as a Service Impact Report: 2020.

Back to Blog
About Chenxi Wang Ph.D.
An experienced strategist, speaker and technologist in the cybersecurity industry, Wang also is on the board of directors for MDU Resources (NYSE: MDU), and served as a global board member of the Open Web Application Security Project (OWASP) Foundation. Previously, she was Chief Strategy Officer at Twistlock, VP of Strategy at Intel, and VP of Research at Forrester. More By Chenxi Wang Ph.D.
Launching "The PtaaS Book: The A - Z of Pentest as a Service"
Authored by InfoSec community advocate and Chief Strategy Officer at Cobalt, Caroline Wong, The PtaaS Book features 7 chapters that go in depth to answer a variety of questions.
Blog
Jan 10, 2022