October 13, 2015 By Eitan Worcel 3 min read

Life Prior to Application Security Testing: Looking Spiffy in My Bow Tie

When I turned 13, my family invited a lot of guests to my Bar Mitzvah party. My parents encouraged me to wear a bow tie, ordered catering and even sponsored a two-person band so that everyone would have a great time. To ensure that we would always remember the party (and preserve my memories of the bow tie forever), they hired a photographer from a neighborhood studio to film the event and produce a video.

The photographer spared no technological means and delivered a ridiculously long video with split-screen technology, and he even tweaked the color palette in his finished product. Of course, everyone was happy with the photographer’s work — most notably Mom and Dad.

Your Penetration Testing Program: Could It Become the Next Neighborhood Photo Shop?

So how does this event from my past connect with application security testing on cloud? Because in application security, just like in video production, technology is about simplifying complicated processes and making them more accessible to everyday people. Tasks that were considered complicated and required expensive equipment in the past now reside in the palm of your hand.

Today, nonexperts achieve high-quality videos and photographs with simple video and photo editing apps on their mobile devices and with services they find on the Web. As a result, neighborhood photography studios are practically extinct. This trend doesn’t mean experienced video editors can’t make a solid living for themselves; rather, the talented and professional ones focus on the business sector since it requires better-quality output.

Will automated, cloud-based application security testing services have the same impact on penetration testers?

Traditional Pen Testing — Soon to Be Replaced by Automated Cloud Testing?

As with video editing in the past, the work of the penetration testers is considered complicated and only to be conducted by true security professionals. With that in mind, can it really be replaced by an automated, cloud-based service?

In fact, not a lot of people are truly qualified to work as penetration testers — well, at least not the best ones. Pen testing is way more than just utilizing cool hacking tools and producing vulnerability reports. Great pen testers have deep knowledge of operating systems, networking, scripting languages and more. They are also eager to learn new approaches and employ the new content that they learn in practice. They combine manual work with automated tools and conduct their testing in iterations, reviewing interim test results to build complicated attacks just like a cybercriminal would.

However, many single-shingle security consultants and small companies offer pen testing services. Some base their services solely on the use of one or more hacking tools and produce attractive-looking reports that detail all the issues they were able to find. As with my old neighborhood studio photographer, there is no real magic there. Instead, their results are based only on the tools they learned to operate and not on any specialized skills, which means that their customers could feasibly automate testing and save time and money by doing it themselves.

I certainly don’t think that cloud-based application security testing services will make pen testers’ work redundant, but I do think they can help clean out the weeds and establish order in the field. I also believe that organizations relying on a penetration testing-only approach to application security place themselves at a high risk of potential data breaches. Overall, the best approach is to perform periodic pen testing and combine it with routine application security testing since application threats can be released quickly and evolve very suddenly.

The Sweet Spot for Application Security Testing on Cloud

Application security testing on cloud can do more than introduce order into the field. A reliable cloud service brings valuable results that can be used by security experts to reduce some of their busy work, allowing them to concentrate on the more complex aspects of their roles.

Such testing can be leveraged by other groups in the company, such as developers or QA, freeing up expensive security team time and speeding release cycles by enabling teams to identify security vulnerabilities earlier in the development life cycle.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today