New approach to penetration testing boosts software quality, security

Ensuring software security requires testing. Penetration testing – storming software as a malicious hacker might – has become a standard procedure. Now, penetration testing as a service, or PTaaS, has emerged as a strategy for gaining more value and, therefore, more assurance from the results of penetration testing.

Brian Tillett, the field chief information security officer for the public sector at Synack, detailed some of the benefits.

“The unique piece of PTaaS is, no matter what type of asset you are penetration testing – app, application programming interface, web, even an artificial intelligence or large language model instantiation – you get a uniform report,” Tillett said. “Everything looks exactly the same. You get actionable intelligence, and everything is presented to you through a trusted platform.”

With the traditional way, different individuals from different groups do penetration testing independently of one another, Tillett said. They deliver results later on, in a variety of formats that might be difficult to make sense of.

“It’s backward looking, it’s never had the opportunity become something that is part of security operations in real time,” Tillett said.

Plus, with uniform testing output, Tillett said, “you now have the ability to integrate that into other solutions. It might be your patching solution, it might be your security operations center, it might be your security information and event management (SIEM) technology.”

How it works

Although PTaaS includes some automated elements, clients get human experts in various facts of software development who perform the PTaaS, Tillett said.

“Once we kick off a mission, through penetration testing, we basically assign a cohort or a group of penetration testers to that specific asset, or whatever it is that we’ve designated within that mission,” he said.

Tillett added, “The penetration testing aspect of it truly going and finding your vulnerabilities, documenting them, making literally a recording of what we’ve been able to find, so it can be replayed back to your security operations center, your responders inside the organization. All that is a human led effort.”

Too often, according to Tillett, penetration testing and vulnerability discovery take place late in the development cycle, say just after compiling and before deployment.

“Security has kind of been bolted on at the end,” he said, “and the security team does the penetration testing at the last minute before it goes live.”

Penetration testing as a service makes it more practical to apply testing throughout the development lifecycle.

“We have to roll back into the development lifecycle,” Tillett said, so that by run time, the organization will have a relatively vulnerability-free application.

This is especially important in use cases such as military deployments. He cited the example of installing software on a vessel docked in port for a limited time.

“You’ve only got three weeks that a submarine or ship might be above water and in port,” Tillett said. “And if you’re trying to make that window and you find out that the application is full of holes, or the software is broken, guess what? We’ve missed that mission entirely.”

If speed to deployment matters – and it nearly always does – then all the more reason to use PTaaS throughout the cycle so that developers can find and fix vulnerabilities quickly – before code moves to the next stage.

Tillett made the analogy of race cars: “It’s not the fastest car on the track that wins the race,” he said. “It’s the driver that uses the brakes the least.”

Spot the trends

While penetration testing reveals vulnerabilities at various stages of software development, Tillett says PTaaS has a more fundamental purpose.

“The reason why we do penetration tests is not to find vulnerabilities,” he said. “The reason why we penetration tests is to reduce vulnerabilities over time. Let’s identify the pattern and get to the root cause of why this happened.”

That is, it not only ensures security becomes organic in development, but it also improves the quality and efficiency of development.

Tillett recommended a risk management approach to where you apply PTaaS.

“Testing is not like peanut butter, you don’t spread it evenly across the entire organization,” he said. “You protect the mission critical application, the mission critical software, the application that’s processing citizen data or making mission critical decisions.”

An emerging area of importance for PTaaS, Tillett said, is the software bill of materials that arrives from contractor-engineered or commercial off-the-shelf applications. They typically contain multiple blocks of open source code that may not be vulnerability-free.

“There’s definitely an appropriate level of applying penetration testing to validating the software bill of materials,” he said. The SBOM is likely to have elements with known vulnerabilities, or it reveals older versions of particular blocks of code. In some instances, malicious actors have patched open source code in order add back doors they can exploit. Tillet said PTaaS can work in what he called a closed loop remediation cycle to ensure that open source code was patched properly and stays secure.

Still another case for PTaaS stems from the rapid adoption of artificial intelligence into applications. Testing, Tillett said, can reveal vulnerabilities in training data, perhaps from deliberate data poisoning, that could make their way into the application.

“How are you going to be able to determine when data poisoning took place?” Tillet said. “The best way to do that is to make sure all the holes are closed as you develop.”

Listen to the full show:

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.