October 13, 2015 By Eitan Worcel 3 min read

Life Prior to Application Security Testing: Looking Spiffy in My Bow Tie

When I turned 13, my family invited a lot of guests to my Bar Mitzvah party. My parents encouraged me to wear a bow tie, ordered catering and even sponsored a two-person band so that everyone would have a great time. To ensure that we would always remember the party (and preserve my memories of the bow tie forever), they hired a photographer from a neighborhood studio to film the event and produce a video.

The photographer spared no technological means and delivered a ridiculously long video with split-screen technology, and he even tweaked the color palette in his finished product. Of course, everyone was happy with the photographer’s work — most notably Mom and Dad.

Your Penetration Testing Program: Could It Become the Next Neighborhood Photo Shop?

So how does this event from my past connect with application security testing on cloud? Because in application security, just like in video production, technology is about simplifying complicated processes and making them more accessible to everyday people. Tasks that were considered complicated and required expensive equipment in the past now reside in the palm of your hand.

Today, nonexperts achieve high-quality videos and photographs with simple video and photo editing apps on their mobile devices and with services they find on the Web. As a result, neighborhood photography studios are practically extinct. This trend doesn’t mean experienced video editors can’t make a solid living for themselves; rather, the talented and professional ones focus on the business sector since it requires better-quality output.

Will automated, cloud-based application security testing services have the same impact on penetration testers?

Traditional Pen Testing — Soon to Be Replaced by Automated Cloud Testing?

As with video editing in the past, the work of the penetration testers is considered complicated and only to be conducted by true security professionals. With that in mind, can it really be replaced by an automated, cloud-based service?

In fact, not a lot of people are truly qualified to work as penetration testers — well, at least not the best ones. Pen testing is way more than just utilizing cool hacking tools and producing vulnerability reports. Great pen testers have deep knowledge of operating systems, networking, scripting languages and more. They are also eager to learn new approaches and employ the new content that they learn in practice. They combine manual work with automated tools and conduct their testing in iterations, reviewing interim test results to build complicated attacks just like a cybercriminal would.

However, many single-shingle security consultants and small companies offer pen testing services. Some base their services solely on the use of one or more hacking tools and produce attractive-looking reports that detail all the issues they were able to find. As with my old neighborhood studio photographer, there is no real magic there. Instead, their results are based only on the tools they learned to operate and not on any specialized skills, which means that their customers could feasibly automate testing and save time and money by doing it themselves.

I certainly don’t think that cloud-based application security testing services will make pen testers’ work redundant, but I do think they can help clean out the weeds and establish order in the field. I also believe that organizations relying on a penetration testing-only approach to application security place themselves at a high risk of potential data breaches. Overall, the best approach is to perform periodic pen testing and combine it with routine application security testing since application threats can be released quickly and evolve very suddenly.

The Sweet Spot for Application Security Testing on Cloud

Application security testing on cloud can do more than introduce order into the field. A reliable cloud service brings valuable results that can be used by security experts to reduce some of their busy work, allowing them to concentrate on the more complex aspects of their roles.

Such testing can be leveraged by other groups in the company, such as developers or QA, freeing up expensive security team time and speeding release cycles by enabling teams to identify security vulnerabilities earlier in the development life cycle.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Application Security

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today