#ISC2Congress: Which Pen-Testing Approach is Right for Your Business?
Speaking during the virtual (ISC)2 Security Congress Alex Haynes, CISO at CDL, explored the various pen-testing approaches available to organizations and outlined how companies can determine which is the best option for their business use cases.
“The problem with pen-testing in the market is that there’s an ‘alphabet soup’ of terminology and it is very easy to get confused when there are all these marketing terms being thrown around.”
Essentially, there are three key approaches to pen-testing that organizations can implement, Haynes said.
The first is traditional pen-testing, defined as a “snapshot of your security posture at a particular point in time.”
The pros of traditional pen-testing methods include cost efficiency, flexibility and standardization. However, there are important inadequacies to consider when it comes to traditional pen-testing approaches, Haynes warned. These include the fact that they are infrequent, time-limited, lack diversity in approach and can invoke pen-tester syndrome (a focus on theoretical vulnerabilities that make things appear worse than they actually are).
The second approach to pen-testing open to organizations is the crowdsourced security option, Haynes continued. This involves “having more than one tester who has no affiliation [with your systems] looking for bugs and vulnerabilities on your systems and applications.”
A crowdsourced security pen-testing strategy offers some key benefits that traditional pen-test methods cannot, including higher frequency rates, unlimited time-scales and a more cost-effective business model (in the short run) in which researchers are only paid per vulnerability rather than taking a full salary.
However, as with traditional pen-testing approaches, crowdsourced strategies have their own drawbacks to consider. These include web-heavy skillsets of researchers, potentially unethical behaviors and heavy network traffic .
The third and final approach to organizational pen-testing is automated pen-testing, Haynes said.
“This mimics the behavior of a human attacker by choosing the best kind of attack vector for a particular vulnerable system, at scale, without human intervention.”
Automated pen-testing can be run on a daily basis/continuously, generate reports on the fly and be configured to start from anywhere or only use certain vectors for testing certain attack scenarios, so they have clear benefits, Haynes explained.
At the same time, as with traditional and crowdsourced pen-testing, there are downsides to automated pen-testing such as the fact that they are only useful for pen-testing inside the network, have a lack of understanding regarding web applications and potentially high cost-per-asset expense for larger networks.
To conclude, Haynes said that deciding which pen-testing approach is best suited to any organization depends on various factors, but added that strategies are not mutually exclusive, always start with pen-testing to establish a baseline and, if your budget permits, can be layered with other approaches.