Life Prior to Application Security Testing: Looking Spiffy in My Bow Tie
When I turned 13, my family invited a lot of guests to my Bar Mitzvah party. My parents encouraged me to wear a bow tie, ordered catering and even sponsored a two-person band so that everyone would have a great time. To ensure that we would always remember the party (and preserve my memories of the bow tie forever), they hired a photographer from a neighborhood studio to film the event and produce a video.
The photographer spared no technological means and delivered a ridiculously long video with split-screen technology, and he even tweaked the color palette in his finished product. Of course, everyone was happy with the photographer’s work — most notably Mom and Dad.
Your Penetration Testing Program: Could It Become the Next Neighborhood Photo Shop?
So how does this event from my past connect with application security testing on cloud? Because in application security, just like in video production, technology is about simplifying complicated processes and making them more accessible to everyday people. Tasks that were considered complicated and required expensive equipment in the past now reside in the palm of your hand.
Today, nonexperts achieve high-quality videos and photographs with simple video and photo editing apps on their mobile devices and with services they find on the Web. As a result, neighborhood photography studios are practically extinct. This trend doesn’t mean experienced video editors can’t make a solid living for themselves; rather, the talented and professional ones focus on the business sector since it requires better-quality output.
Will automated, cloud-based application security testing services have the same impact on penetration testers?
Traditional Pen Testing — Soon to Be Replaced by Automated Cloud Testing?
As with video editing in the past, the work of the penetration testers is considered complicated and only to be conducted by true security professionals. With that in mind, can it really be replaced by an automated, cloud-based service?
In fact, not a lot of people are truly qualified to work as penetration testers — well, at least not the best ones. Pen testing is way more than just utilizing cool hacking tools and producing vulnerability reports. Great pen testers have deep knowledge of operating systems, networking, scripting languages and more. They are also eager to learn new approaches and employ the new content that they learn in practice. They combine manual work with automated tools and conduct their testing in iterations, reviewing interim test results to build complicated attacks just like a cybercriminal would.
However, many single-shingle security consultants and small companies offer pen testing services. Some base their services solely on the use of one or more hacking tools and produce attractive-looking reports that detail all the issues they were able to find. As with my old neighborhood studio photographer, there is no real magic there. Instead, their results are based only on the tools they learned to operate and not on any specialized skills, which means that their customers could feasibly automate testing and save time and money by doing it themselves.
I certainly don’t think that cloud-based application security testing services will make pen testers’ work redundant, but I do think they can help clean out the weeds and establish order in the field. I also believe that organizations relying on a penetration testing-only approach to application security place themselves at a high risk of potential data breaches. Overall, the best approach is to perform periodic pen testing and combine it with routine application security testing since application threats can be released quickly and evolve very suddenly.
The Sweet Spot for Application Security Testing on Cloud
Application security testing on cloud can do more than introduce order into the field. A reliable cloud service brings valuable results that can be used by security experts to reduce some of their busy work, allowing them to concentrate on the more complex aspects of their roles.
Such testing can be leveraged by other groups in the company, such as developers or QA, freeing up expensive security team time and speeding release cycles by enabling teams to identify security vulnerabilities earlier in the development life cycle.
Read the interactive white paper: Preempt attacks with programmatic and active testing
Product Manager – AppScan Cloud Services, IBM