News & Views

Why continuous pen testing is more than just a cyber security health check.

Like many things in life nowadays, pen testing is often seen as a simple/better/best trade off; the more often you can do it the better.

With e-commerce now the way most of us interact with the services we need, and businesses of all sizes looking to extend and automate their online presence, the need to protect customer data, safeguard business reputation and defend against cyber breaches has never been more acute.

Single pen tests – a snapshot in time

One off pen tests are highly effective as a one-off static picture; they can validate requirements, prove compliance and achieve PCI-DSS.

But businesses don’t stay static and neither does the cyber attack landscape.

A single pen test proves that your house is secure at that moment in time; but 24 hours later something might have changed, and someone could break in.

Repeat pen testing – the power of comparison

“The main benefit of repeat pen testing is the ability to see that something has changed”

Repeat penetration testing, eg 2-4 times a year or once a month, still only proves that you’re secure at the point of the test. However, the main benefit of this more regular testing regimen is the ability to see that something has changed.

On an ongoing basis this demonstrates risk levels and highlights to you where focus is needed. It’s also a very powerful part of a change control process, showing you whether and where you’ve introduced vulnerability by making alterations to the environment. Ideally pen testing should be performed before and after a change is made, which again has the benefit of showing you a direct comparison and exposing vulnerabilities quickly.

Frequent app updates need frequent checking

In the world of app development, everything is happening so fast and at such a scale – that things can go wrong at the same scale.

The frequency of change in automated app updates, sometimes multiple times a day, means that pen testing needs to be part of the update process.

Modern devops no longer issue periodic app updates and bug fixes, but use CICD processes to automate development ongoing, making iterative changes that are almost impossible to keep track of. Yet these changes can introduce gaps in your cyber posture.

Continuous pen testing for effective network profiling

The gold standard for pen testing now sees it embedded as a continuous process that goes beyond a snapshot in time and becomes an ongoing vulnerability monitoring and intelligence capability. By pen testing your network continually, you understand more about the operating systems, apps and technology running through your estate and so develop a proactive vulnerability assessment against CVE notifications.

Continuous pen testing has the power to become an ongoing vulnerability monitoring and intelligence capability.

The most advanced pen testing products now enable the pen test to be automated through APIs as part of the deployment process, giving you notifications of the changes and possible exposures they’ve introduced. If the change that’s been made has directly caused vulnerabilities, the product identifies which iteration of the update was responsible and can roll back automatically to the trouble-free version.

Beyond pen testing for a dynamic vulnerability assessment capability

As part of the implementation process, the user specifics what range of IPs they want to scan and how many devices are in that range. A top level pen testing product will also proactively monitor other software and devices that get connected to that subnet, 24/7. These can then automatically be pen tested as they connect, and become part of your CICD development process.

Pen test tools can integrate with MDR and XDR solutions to further enable automated detection and response, using the insights provided by the pen testing regime to patch and fix problems as they occur.

Ultimately, continuous pen testing has the power to become an automated, intelligent and fully integrated part of a comprehensive cyber stack, identifying, tracking and neutralising hacking activity before it penetrates your data and affects your organisation. For information about advanced pen testing or to chat to a FullProxy expert about securing your environment, please get in touch.

About the author

In other news...

News & Views
TLS Certificate Automation to enhance Cyber Security

Certificate management has become a higher profile challenge recently thanks to Google’s well publicised intention to reduce certificate lifespans, acceptable for use in its popular browser Chrome,

News & Views
Google’s 90-Day TLS Certificate Limit: What Should I Do About It?

Google’s announcement to reduce the lifespan of Transport Layer Security (TLS) certificates from 398 days to 90 days continues to be a hot topic of discussion among information security professionals,

Do you want to know more?

Our experts are here to help.
Contact us for more info or book a Teams call at a time that suits you.