If you Google “How often should I do penetration testing?”, the first answer that comes up is “once a year”. In fact, even industry-leading standards like PCI-DSS dictate that external penetration tests be performed annually (or after significant changes to infrastructure or applications), while internal penetration tests are performed annually, and segmentation tests are performed every six months.
However, today’s cybercriminals do not work annual schedules. They do not wait until the moment of penetration testing arrives and the vulnerabilities found are rectified. They strike fast, strike hard, and use advanced automated and AI-based tools to exploit vulnerabilities that many organizations don’t even know exist, let alone exist. in their own networks. Gartner calls these threats “high momentum threats” and recommends that organizations at risk adopt a more streamlined approach to cybersecurity, including penetration testing.
Meeting the challenges of agile cybercriminals requires a much more agile approach to penetration testing. Here’s why and what can be done:
The need for faster cycles
Standards are catching up with the pace of cybercrime. According to the NIST Cyber Security Framework (CSF), organizations should verify that they have fixed vulnerabilities after each system update or patch deployment. However, in practice, this does not happen often. The reason? Simple economy. Traditional penetration tests are resource intensive and therefore expensive. Qualified penetration testers are in high demand and charge a lot for their services. A single penetration test can easily cost tens of thousands of dollars for just a portion of the target IT environment. Few organizations have this kind of budget, and certainly not the kind of budget required to scale penetration testing across your environment with the frequency required to ensure networks remain secure as new systems, users and applications are upgraded or added. .
The need for automation
The traditional attitude toward manual penetration testing is like the traditional approach to conducting navigation: nothing can replace the sophistication and accumulated knowledge of a human being. A taxi driver will always beat Google Maps, and a trained penetration tester will find vulnerabilities and attacks that automated testing might miss, or identify responses that appear legitimate to automated software but are actually a threat.
The truth is that, case by case, this could possibly be true. But with standard tools and services like RaaS (Ransomware as a Service) or MaaS (Malware as a Service) that use AI/ML capabilities to improve attack efficiency, you would need an army of penetration testers to really meet the requirements. . challenges of today’s cyber threats. And once you’ve found, trained, and employed them, cyber attackers would simply ramp up their automation efforts, and you’d need to redact another army. It is clearly not a sustainable cybersecurity model.
Similarly, the wide-scale adoption of agile development methodologies has resulted in more frequent software releases. Because environments are constantly evolving, the results of penetration tests performed on previous or preview versions quickly become outdated. And agile often relies on open source and other off-the-shelf pieces of code, which are highly prone to vulnerabilities.
For all these reasons, penetration testing stakeholders are increasingly turning to automation, with the goal of achieving continuous security validation.
The need for continuity
Traditional penetration testing methodologies, both manual and automated, provide a snapshot of the security posture of your network or application. However, as discussed above, environments are very dynamic, making the attack surface a constant work in progress. When a new API is plugged in, a new server is added, or a new version is released, that snapshot is no longer valid, even if the next round of penetration testing is a year away.
To combat this, organizations are moving toward a continuous penetration test model. Instead of a single test a year, these organizations adopt tools and methodologies that can continuously test their environment. With threat actors continually targeting organizations to discover and exploit new vulnerabilities, there really is no alternative but to take a more proactive approach to discovering and remediating vulnerabilities. Traditional one-off security assessments simply can’t keep up.
The bottom line
Cyber threats have become more agile, scalable, and infinitely more dangerous. Traditional periodic manual penetration testing simply cannot provide organizations with the security they need to survive. Only an automated, continuous model can secure ever-changing networks and applications, helping businesses that adopt them stay secure, compliant, and profitable.