Penetration testing, in which hired ethical hackers conduct an authorized simulated cyber attack on a company’s network to evaluate its cybersecurity profile, is newly driven by application security instead of compliance and customer requirements, a new report found.
Cobalt.io’s study, entitled Pentest-as-a-Service Impact Report: 2020, said organizations are expanding the scope and frequency of pen tests to their entire application portfolio as well as critical applications. The San Francisco-based company’s PtaaS platform aims to transform the traditional pen testing model for Software-as-a-Service (SaaS) businesses. In 2018, Cobalt landed $5 million in Series A funding, bringing to $8 million its total backing.
The research seeks to “unravel and understand the specific benefits and challenges of deploying a PtaaS solution in a modern software development environment,” Cobalt officials said. A key question the report--authored by Dr. Chenxi Wang, who founded the Rain Capital venture fund and is a former member of the Open Web Application Security Project (OWASP) Foundation--seeks to address is the degree to which DevOps alters pentesting adoption.
Cobalt’s PtaaS platform should be of keen interest to managed security service providers, considering SaaS businesses that want “serious hacker-like testing built into their development cycle,” are its main customer targets. According to Cobalt’s website, it draws on a core group of some 270 “highly vetted, certified pentesters." Pentest-as-a-Service provides "agile and scalable pentesting to identify and resolve security vulnerabilities across application portfolios in accordance with frequent software releases,” said Caroline Wong, Cobalt’s chief strategy officer.
To fashion the study’s conclusions, five Cobalt customers, consisting primarily of SaaS and enterprise software providers, engaged in lengthy interviews. Here’s a summation of the findings:
Application security is a top business priority. When asked about their company’s motivation for pentesting, organizations cited the desire to make their applications and services more secure. This is a noticeable shift from 2017, when compliance and customer requirements were cited as pentesting’s key drivers.
Expanded pentesting scopes and frequency. Companies are conducting pentesting for their entire application portfolio, with higher frequency testing on business critical apps. In 2017, companies conducted annual testing only for key applications.
More agile testing and closer collaboration between security and development teams. Organizations said they viewed PtaaS as a shared responsibility between infosec and development teams. In 2017, application security responsibility was viewed to be exclusively managed by infosec.
PtaaS has a lower overhead than traditional, services-based pentesting. Pentesting that is both location-agnostic and horizontally-scalable removes the geographic location bias involved in traditional pentesting. Better communication between security and development also reduces overhead.
“This study shows how organizations, large and small, implement application security within the backdrop of DevOps and cloud native development,” said Wang. “It’s not surprising to see pentesting as a critical element in modern application security initiatives.”
Of the five companies that Cobalt interviewed, four practice DevOps extensively. The one not practicing DevOps has many monolithic apps and traditional development practices that present a challenge to adopting DevOps. Four of the companies have dedicated security teams that drove the implementation of pentest services.
Other security-testing firms have sprung up betting on using emulated real-world attacks to more accurately identify where security programs break down. Randori comes at probing a company’s security defenses from a different angle. Rather than relying on network perimeter scanning or penetration testing, its Attack Platform, which debuted in February, mimics advanced hacks and threats that companies face.