Penetration testing has become common practice for vulnerability assessment over the past decade. There are several reasons why people do pentests. Identifying risky vulnerabilities for developers to address is great practice for risk reduction. That being said, many times the reasons to commission pentests is regulatory compliance, customer expectation, or contractual requirements — just to “check the box.”
The drive to push down the cost of pentesting through software automation and to check-the-box has driven the efficacy of pentesting into question. More and more, traditional penetration testing is suffering from shortcomings that lessen its effectiveness for risk reduction. Organizations spend millions of dollars a year on compulsory pen tests without seeing any value to reducing actual risk. In fact, research shows that the majority of security leaders are not satisfied with their current pen test effort.
Here are some top challenges of traditional pentests.
Penetration testing firms are consulting firms first and foremost. That means billable hours is king. Consultants will often be double booked across projects and always under the gun to produce their testing report. This drives down the time of actual testing and common reuse of past findings from previous tests so that reports to pass the “weight test.” Ultimately this means untested portions of the target application and vulnerability blind spots.
Pentesting is usually performed by one or two people using a rote methodology. As most companies typically only run one or two pen tests per year. Given the huge number of potential adversaries and their diverse skill set and creativity, it is totally unrealistic to expect such an approach will uncover even a fraction of the vulnerabilities an application may have.
Typical pen tests produce a long form report with listed checkboxes and vulnerabilities. There’s no integration into the software development lifecycle, adding operational overhead and slowing the pace of both remediation and application development.
Time to Market
Traditional pen tests are “point in time” exercises, but in today’s continuous application deployment paradigm, “point in time” may as well be never. Testing once or twice a year will leave new application code and attack surface untested for months.
The reality is that organizations continue to spend money on pentests because they are well-understood and accepted by auditors and compliance regulations, and not because they are effective for reducing risk or controlling costs.
Bugcrowd’s Next Gen Pen Testing (NGPT) delivers the only scalable model for sidestepping the operational handcuffs of traditional testing approaches. Bugcrowd NGPT delivers 7x more vulnerabilities than traditional penetration testing, dramatically improving both security posture and software development best practices
To learn more about the pain points of traditional pen testing and the benefits of Bugcrowd’s Next Gen Pen Test, register for our AMA on Next Gen Pen Test, featuring Bugcrowd’s CSO David Baker, and VP of Researcher Growth, Jason Haddix on Thursday, November 15 at 10am PST / 1pm EST.