Life Prior to Application Security Testing: Looking Spiffy in My Bow Tie

When I turned 13, my family invited a lot of guests to my Bar Mitzvah party. My parents encouraged me to wear a bow tie, ordered catering and even sponsored a two-person band so that everyone would have a great time. To ensure that we would always remember the party (and preserve my memories of the bow tie forever), they hired a photographer from a neighborhood studio to film the event and produce a video.

The photographer spared no technological means and delivered a ridiculously long video with split-screen technology, and he even tweaked the color palette in his finished product. Of course, everyone was happy with the photographer’s work — most notably Mom and Dad.

Your Penetration Testing Program: Could It Become the Next Neighborhood Photo Shop?

So how does this event from my past connect with application security testing on cloud? Because in application security, just like in video production, technology is about simplifying complicated processes and making them more accessible to everyday people. Tasks that were considered complicated and required expensive equipment in the past now reside in the palm of your hand.

Today, nonexperts achieve high-quality videos and photographs with simple video and photo editing apps on their mobile devices and with services they find on the Web. As a result, neighborhood photography studios are practically extinct. This trend doesn’t mean experienced video editors can’t make a solid living for themselves; rather, the talented and professional ones focus on the business sector since it requires better-quality output.

Will automated, cloud-based application security testing services have the same impact on penetration testers?

Traditional Pen Testing — Soon to Be Replaced by Automated Cloud Testing?

As with video editing in the past, the work of the penetration testers is considered complicated and only to be conducted by true security professionals. With that in mind, can it really be replaced by an automated, cloud-based service?

In fact, not a lot of people are truly qualified to work as penetration testers — well, at least not the best ones. Pen testing is way more than just utilizing cool hacking tools and producing vulnerability reports. Great pen testers have deep knowledge of operating systems, networking, scripting languages and more. They are also eager to learn new approaches and employ the new content that they learn in practice. They combine manual work with automated tools and conduct their testing in iterations, reviewing interim test results to build complicated attacks just like a cybercriminal would.

However, many single-shingle security consultants and small companies offer pen testing services. Some base their services solely on the use of one or more hacking tools and produce attractive-looking reports that detail all the issues they were able to find. As with my old neighborhood studio photographer, there is no real magic there. Instead, their results are based only on the tools they learned to operate and not on any specialized skills, which means that their customers could feasibly automate testing and save time and money by doing it themselves.

I certainly don’t think that cloud-based application security testing services will make pen testers’ work redundant, but I do think they can help clean out the weeds and establish order in the field. I also believe that organizations relying on a penetration testing-only approach to application security place themselves at a high risk of potential data breaches. Overall, the best approach is to perform periodic pen testing and combine it with routine application security testing since application threats can be released quickly and evolve very suddenly.

The Sweet Spot for Application Security Testing on Cloud

Application security testing on cloud can do more than introduce order into the field. A reliable cloud service brings valuable results that can be used by security experts to reduce some of their busy work, allowing them to concentrate on the more complex aspects of their roles.

Such testing can be leveraged by other groups in the company, such as developers or QA, freeing up expensive security team time and speeding release cycles by enabling teams to identify security vulnerabilities earlier in the development life cycle.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Application Security

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…