Have you heard of Continuous Penetration Testing?
Key benefits benefits that continuous testing provides. Get more value from offensive testing!
The goal is to keep your organization secure by devoting monthly effort to testing new techniques and identifying unknown risks. Continuous penetration testing is triggered when change is identified in your network or when the threat landscape changes.
Latest techniques are tested on a monthly basis while testing styles (overt, purple team, red team) adapt as your organization's security posture matures.
A better testing methodology + a different mindset = more actionable value
The testing methodology eliminates surprises while guiding your organization to improved security posture.
In order to properly focus testing efforts, the following actions are performed:
This graphic provides a good visual difference:
A consulting firm dedicating X number of hours for Y intervals a year. It's not automated scanners generating rebranded vulnerability reports.
This is a real example from one of our clients. Name changed obviously ;-)
Acme Corp has had service for 7 months when we discovered a new set of credentials from a Twitter dump leading us to a breach of their network.
Sprocket Security performed the following actions:
Acme Corpsecurity contacts notified
In this example
Acme Corp already knew about some single factor authentication on the VPN and was working towards remediating it. However, Sprocket Security was able identify a credential stuffing attack before it was used maliciously against
Removing artificial time constraints allows for a larger variety of attacks to be performed.
Abuse of builtin tools to execute code are released every day (AKA living off the land). You're team is swamped with tasks that require deep working knowledge of your environment. Free them up by having pentesters that perform these attacks daily help determine if you're vulnerable to these new techniques.
Waiting until next year's pentest to uncover new vulnerabilities is a flawed approach.
Reduce gaps and missed vulnerabilities that usually surface when it's too late. Continuous testing reduces exposure times.
PCI is the most common. Requirements such as testing on major changes and multiple tests per year are achieved with continuous testing.
At any point you can generate a report or an attestation for auditors, directors, board members, etc.
Since vulnerabilities are discovered closer to their inception, the mitigation work can be planned. A steadier and smaller amount of work, helps you budget time towards security improvements.
Reducing the time spent on unplanned work means your IT operations will run more efficient and cheaper.
Frequent change is happening due to the cloud and devops movements. Security impact of these changes are identified and reported.
Your IT staff can access pentesters for advice and knowledge transfer. Pentesters will have a deep understanding of your environment through their continuous testing.
Closer relationships with your security testers will also bring more valuable insight into mitigation palnning and solutions.
Mitigation techniques that are difficult and time consuming to implement often require more communication. Consultants assist with mitigation strategies and all progress is tracked through an interactive web portal.
Testing status and activities are logged for real-time and historical views. Visibility into all testing actions are always available.
Because you're not expected to get it right on the first pass. Once you fix a vulnerability, toggle its status in the portal and that automatically assigns the retest work.
Priorities shift whether it's related to business, technology, or threats. Your test results are interactive and their priorities can be adjusted.
Testing adapts as your company matures it's security posture. Start with basic external testing and work towards full scope red team tests.
It's hard to showcase ROI with pentesting, but continuous gives you the best insight. Continuous testing provides unique metrics in the following categories: average time to remediate, cost-benefit analysis vs traditional pentesting, IT staff improvements, maturity of defenses, trends, historical data, and many more.
I've witnessed improvements from many organizations adopting this methodology of testing. If you're serious about securing your company, move to a continuous testing model. There is no reason to wait until your next allotted budget.
Times have changed, and you cannot afford to take security seriously once a year, or even twice a year. If you are not able to move quickly, you can be sure you'll be impacted by a breach.
Finding vulnerabilities and remediating them needs to be part of your IT security competency.
Remember, it's not do you pentest, it's how you pentest.
Contact Sprocket Security if you'd like to discuss what continuous penetration testing looks like for your company.
Protect your company with Sprocket
When your environment changes, or new threats affect your attack surface, we perform security testing. There is a lot more value from this modern approach to testing.