Why innovating penetration testing is a must
3 min read
From the day we are born, many events occur that impact our way of thinking and approach to life. In my case, a lot of these events had to do with the background of my parents which was in engineering, and particularly for my mother, in cybersecurity.
My mother would attend conferences in different countries and then bring me pendrives with a wide variety of programs aimed at hacking. When I was 6 and had a lot of curiosity, just as I loved to take apart toys, I figured out I could do similar things with computer programs.
I started hacking diverse things - especially games for me and my friends - until I finally understood this was bigger than I thought. I realized how useful it was to find and exploit vulnerabilities in any system.
However, my intentions were not to cause any harm: I was just a little kid that wanted to get some credits, lives, and memberships in games and streaming services. My curiosity, combined with my ability, led me to find vulnerabilities in games like Candy Crush (and hundreds of others), streaming services like NBA League Pass, and PayPal to watch Netflix for free.
Besides having that skill, when I was 14, I found a vulnerability in a marketplace that allowed me to get any item for free, just paying for the shipping which was 2 USD. I went ahead and got a smart tv, a psp, a microwave, and a little tv for the kitchen. That was the moment it hit me, in some way I had been stealing for the past 8 years. After that event, I started transitioning to defend some of the most amazing companies in Latin America.
Since that time, one of my main missions has been to transmit to people who work in different types of companies the importance of cybersecurity, and how it can change their entire business if done wrong. Undoubtedly, having ethical hackers checking your system's vulnerabilities is the one of best ways to be prepared for potential attacks.
As I had the responsibility of keeping some of the biggest companies in Latam safe, I started to coordinate diverse penetration testing assessments, both internally and externally. These experiences led me to find many inefficiencies in the process; generally, there was a brutal lack of fluency in communications, processes were extremely slow and the assessments were super expensive.
This is why Pentesting, even though it is an essential activity to help companies lower the risk of suffering effective cyberattacks, is really outdated and needs to be changed from the ground up if we want better cybersecurity for everyone.
Having covered the above, in this article, I would like to answer some questions that have to do with the incumbents in pentesting, especially diving deeper into how we can make the process better for companies.
The 5 problems of traditional pentesting
As I said earlier, most of the problems pentesting has are encompassed by the lack of communication and how fast one can find out about the vulnerabilities that have already been discovered. However, I would like to break it down and be more descriptive so you can see why this technique is quite outdated nowadays.
Slow processes: The problem is that pentesting takes way too much time to start. Once we are in contact with the company that needs it, we spend weeks in back-and-forth emails and endless paperwork before the test begins.
Lack of communication: Once the pentest starts, the visibility of what the pentesters are doing is almost nonexistent. This is a huge issue because the pentester does not know if our initial goal changed and we need to shift focus to more important assets than the originals.
Late reporting: In addition to the lack of communication, there is an issue with how reports are delivered. Only when the entire engagement has finished is that the company that engaged in the pentest receives a report with full details. The problem here is that the vulnerabilities found within the process are only communicated at the end, which can expose the companies to exploiting vulnerabilities that could have been fixed earlier. When it comes to the security of a company, time is crucial and one lost day can mean a potential attack becoming effective.
Pentester expectations: Another big issue is that companies that are pentested know very little about the pentesters. It is quite difficult to know their credentials, and most especially, if they were superb at their job or not.
Low frequency: All of the problems mentioned above have a direct effect on the frequency of the pentests. Bureaucracy, price, and lack of transparency combined make companies perform pentests once or twice a year. This should not be the case, because attacks happen every day, meaning companies need to have continuous cybersecurity
If your company will be performing a pentest in the next months to take care of some important assets or due to compliance, I highly suggest that you pay special attention to the 5 points mentioned above.
Why? Because cyberattacks are scaling up extremely fast. So far, in 2022, there is a $ 4,35 million data breach average cost. And not only that: almost 30.000 websites are being hacked each day. With this huge volume of attacks, we cannot keep wasting time and resources while doing pentests in the traditional, old-fashioned way.
Luckily, more and more companies are realizing that there is a new way possible. This means having top-quality cybersecurity in a continuous and accessible way.
Whenever you are performing penetration testing again to check on the security of your most important assets, I highly encourage you to look for continuous pentesting. This will help you fix some of the biggest issues described and keep your company secure during the entire year.