- Network penetration testing targets network and host configurations to verify patches and other vulnerability checks.
- Application penetration testing focuses on testing custom applications, such as web applications, application programming interfaces (APIs), and rich-client applications.
With application pentesting in particular, a typical engagement involves a small team that spends a week or two focused on a specific application. Because of the long delays and natural bottlenecks associated with the process, organizations generally save these tests for the end of the software development life cycle (SDLC).
Feeding the Need for DevOps Speed
In the early 2000s, pentesting traditional monolithic web applications was relatively easy. Anyone with a proxy and the OWASP Testing Guide could find a wide range of issues. However, since that “golden age” of pentesting, software development has accelerated dramatically.
An astounding 92.7 billion lines of code were written in 2020 alone. Today’s software applications have become much larger, more complex, more interconnected, and far more critical to the individuals and organizations that use them. The majority (79%) of DevOps teams report that they are under increasing pressure to shorten release cycles – and 80% of teams deploy code to production at least multiple times per week. Indeed, modern development pipelines are designed to deliver software not in days or even hours – but in minutes.
How Can Pentesting Keep Up With Today's Development Cycles?
1. Start with threat modeling
Traditional pentesting efforts are often poorly prioritized and directed. Rather than focusing on finding the most critical risks, they simply use a checklist or a specific set of tools. For modern applications in particular, threat modeling can help drive testing priorities by identifying key security and privacy concerns. The Threat Modeling Manifesto is a great place to get started.
2. Partner with development
Effective testing requires detailed information about how the application works and the ability to leverage the quality-test infrastructure to generate and modify application traffic. The fastest way for application security to do this is to partner with the development team. Here, pentesters should strive to work with developers to understand an application’s unique complexities without compromising their independence.
3. Stop competing with tools
Pentesting should be part of a “balanced breakfast” of testing techniques. Do not waste precious pentesting hours on things that have been already thoroughly tested with other techniques, such as interactive application security testing (IAST). Focus manual testing efforts on the specific areas where other application security tools are weak, like authentication, access control, and use of encryption. Track your route coverage to make sure you have thoroughly tested all the applications or API attack surface.
4. Embrace continuous testing
DevOps and Agile workflows have been widely embraced to accelerate release cycles and the amount of new code being written. Modern SDLC pipelines often deploy code to production many times each day. There is simply no way to perform traditional penetration tests before release without disrupting workflows and severely slowing down the SDLC. To reduce the time between deployment and testing, organizations must consider more scalable approaches that can run continuously.
5. Adapt to modern application complexity (APIs, microservices, serverless)
Today’s cloud-native applications can be difficult to test. Authentication schemes are complex and rapid request rates make interception difficult. For example, APIs do not just use HTTP with simple payloads. They also use things like JSON, XML, and serialized objects. And API security has become particularly important – specifically, APIs serve as gateways into an enterprise (making them popular targets for bad actors). Further, as modern pentesting requires tools that generate attack traffic across all the distributed parts of the application, it may take time to understand these communications and gain comprehensive visibility.
6. Understand open-source libraries and frameworks
Similarly, there is complexity on the server side. The vast majority of applications (94%) rely on open-source components, each with an average of nearly 700 dependencies that present potential vulnerabilities. For example, the newly discovered dependency confusion attack can leverage an open-source ecosystem flaw to upload malware to repositories, which then get automatically distributed downstream into internal applications. To address these sorts of issues, a pentesting team must quickly understand the application framework, how it routes to code, and how built-in security defenses are supposed to work.
7. Leverage instrumentation
Organizations can dramatically accelerate penetration testing by getting visibility into exactly what happens inside the application code or API when an attack is sent. Security instrumentation tools (like IAST) are very effective at tracking things like data flows, control flows, backend connections, and configuration files. Application security teams should install an agent before starting pentesting, which can then provide an inside view of all actual vulnerabilities present in the code during the application runtime. This visibility can dramatically accelerate penetration testing coverage and accuracy.
8. Deliver security test cases
Communicating with development teams and other groups that need to know about security is tough. Rather than delivering a traditional PDF report with arcane findings, application security teams should consider using Jira tickets to make their recommendations easier to consume. Even better, application security teams can deliver findings as test cases that run continuously with every build to prevent future instances of each discovered vulnerability from ever reoccurring. Security that natively integrates with ticketing systems can have an even broader impact – helping to improve the accuracy of testing, incentivize the remediation, and accelerate development cycles – all while helping to deliver secure code to production.
The Evolution of Penetration Testing
Ideally, the goal of modern pentesting should be to figure out new application technologies and how to test them for vulnerabilities. Penetration testing teams should be the advance guard for SDLC – driving the state of the art in security forward. But there simply are not enough skilled individual application security researchers to perform penetration testing on everything. So, we must continuously take the manual test approaches designed by penetration testers and support them with automation.
That said, unlike premature prognostications a decade ago, penetration testing is not on its deathbed. In one form or another, it will always be a valuable part of application security. And as applications continue to expand and grow more complex, security must evolve pentesting for each new layer that is added.
For more details on next-generation pentesting, make sure to register for the upcoming webinar – “How to Streamline AppSec with Interactive Pentesting.”
There simply isn’t enough time and resources to perform pentesting on everything developed in the worlds of Agile and DevOps where release cycles occur daily – or even faster.
Discover what next-generation pentesting looks like when combined with interactive application security testing (IAST). Attendees will learn:
- Why pentesting shouldn’t compete with other AppSec testing tools and waste time with things already thoroughly tested
- How pentesters should partner with development teams to gain deeper insights into individual applications
- How pentesting can be adapted to modern application complexities such as APIs, microservices, etc.
- How pentesting should be combined with security instrumentation for tracking data flows, control flows, backend connections, etc.
- And more!
[wonderplugin_video iframe="https://youtu.be/Ajqgqwo1Plw" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => How to Streamline AppSec with Interactive Pentesting [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-to-streamline-appsec-with-interactive-pentesting [to_ping] => [pinged] => [post_modified] => 2023-06-22 19:39:42 [post_modified_gmt] => 2023-06-23 00:39:42 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=22992 [menu_order] => 63 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 2 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 26c8d6af066c29e0bcd93892862aed7f [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )