• Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions
Flyy Tech
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
Flyy Tech
No Result
View All Result

Pentesting Evolves for the DevSecOps World

flyytech by flyytech
September 8, 2022
Home Security
Share on FacebookShare on Twitter



As threats become much more pervasive and dynamic, organizations are adopting proactive security measures such as penetration testing to build out a comprehensive security strategy.

Pentesting validates that software and hardware controls have been implemented by using the same tools and techniques an attacker would use to uncover vulnerabilities. This way, organizations can identify gaps in their overall information security program and measure the effectiveness of their patch management and incident response programs.

However, modern DevSecOps teams need more speed and flexibility than what traditional pentesting engagements can deliver. Incremental pentesting programs can help identify and address security gaps more frequently because they focus on smaller segments at a time.

With the needs of DevSecOps teams in mind, penetrating testing-as-a-service (PTaaS) is seeing a higher profile.

Development Teams Align Pentesting with DevSecOps

PTaaS company Cobalt announced its new Agile Pentesting service to help security teams align penetration testing with the continuous integration and continuous delivery (CI/CD) pipeline. The smaller pentest engagements can help extend the reach of security teams and accelerate secure build-to-release timelines.

Andrew Obadiaru, Cobalt’s CISO, says that end users of this offering are security and development teams who are looking to align pentesting more closely to their DevSecOps processes.

“These are teams who are pentesting beyond compliance obligations and conducting more targeted tests that focus on a specific area of an asset, or a specific vulnerability across an asset,” he says.

The Agile Pentesting offering allows organizations to focus on a specific area of an asset, such as a new feature or product release, specific vulnerability, or incremental testing.

“Focused pentesting allows organizations and IT teams to quickly determine potential vulnerabilities or security flaws in a specific product or feature prior to deploying into production,” Obadiaru adds.

Incremental Pentesting a Risk-Based Effort

John Steven, CTO at ThreatModeler, an automated threat modeling provider, says part of the prioritization that occurs with incremental penetration testing should be the alignment of test scope with new features and release promises.

“This creates natural alignment between delivery and security priority and focus,” he explains. “Additionally, there’s a quick benefit: defect studies indicate that where code churns, bugs — and vulnerability — are more likely to be found.”

Steven adds that “the dirty secret” is that all penetration testing is incremental.

“Exhaustively testing even a small system would take months,” he says. “Taking an incremental posture on penetration first acknowledges that the effort is ‘risk-based’, prioritizing that which is most impactful and likely.”

Second, it allows the activity to fit more closely within the cadence of delivery, so that its results can be acted on with a minimum (if any) exposure time of vulnerable systems in production.

“Confining penetration testing efforts to those things threat modeling indicate are high impact and potentially likely for a worrying population of adversaries is perhaps the most key optimization organizations can make,” he adds.

Dave Gerry, chief operating officer at Bugcrowd, a crowdsourced cybersecurity specialist, says a long-standing challenge with pentesting has been the “point-in-time” nature of the tests.

“At some pre-defined period of time, the test is completed against the then-current version of the application and a report is delivered,” he says.

The challenge is that development changes significantly over the course of years, and often by the time a pentest is completed and the report is delivered, the information is already out of date due to application changes.

“By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround,” Gerry explains.

This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure within scope.

Automation Aids Continuous Testing

Jason Rowland, vice president of penetration testing and cloud services at Coalfire, a provider of cybersecurity advisory services, says that continuous testing, given resource constraints faced by the infosec community, will require an approach that maximizes use of testers and offloads work that can be automated.

“Utilizing platforms to perform attack surface discovery and vulnerability identification, as an example, will become prevalent as we unlock the true value of offensive security,” Rowland says.

As an industry impaired by the sheer volume of vulnerabilities, security alerts, and frameworks, prioritizing the behaviors of the adversary provides clarity and facilitates better decisions on the use of finite security resources, he says.

“This model is being adopted and will continue to gain prevalence as organizations focus on activities that deliver the specific outcome of minimizing the impact of security incidents,” Rowland notes.

Obadiaru adds that while pentesting is a modernized approach to enhanced security, this process and method will continue to evolve — especially as cyberattacks become more commonplace and complex.

“Security tools will need to remain strong and keep up with heightened demands,” he says. “It’s likely we’ll also see increased use of pentesting in non-traditional security areas, such as mergers and acquisitions, assurance, and regulatory compliance.”

PTaaS Offers Real-Time Insights

Gerry notes that in the past few years, there’s been an increased shift from traditional pentesting to PTaaS.

“Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary evil to maintain compliance with internal or external requirements,” he says.

He explains by leveraging a PTaaS offering, security teams gain the ability to view results in real time via a SaaS platform, integrate pentesting into their development and security product suite, and institute ongoing testing across retests, focused-scope testing, and new product capability testing.

“Every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced,” Gerry says. “Security organizations must maintain the ability to gain real-time visibility into the current posture — both from a risk governance perspective and from a compliance perspective.”

Rowland says as organizations begin to prioritize defense and detection capability investments based on the tactics, techniques, and procedures of the actors most likely to target their organization, the role of offensive security has become increasingly integrated and central to the success of the security strategy.

“Since the tactics of the adversary and attacks surface are dynamic, offensive security must continuously validate that the program is keeping pace,” he explains. “Regular testing is necessary to drive and validate adjustments to defenses based new intelligence, architectural changes, or the introduction of new assets.”

Steven believes that many people think of penetration testing in an “attacker-centric” way, forgetting that penetration testing is a highly technology-specific pursuit when it comes to software and platforms as well.

“We found that specialized teams were necessary for ATMs, automotive, healthcare, Web, and mobile,” he says. “Still others handled mainframe and OS-level penetration testing.”

He says as applications move to the cloud, penetration testing and the teams servicing that activity must adapt.

“The cloud isn’t a single monolith — it’s several major providers, each with tens or hundreds of specific APIs and control sets,” Steven adds. “Penetration testers will have to use tools to discover sprawling cloud-based assets, no longer confined to a datacenter or IP range, and then quickly become experts in the tech stacks used by any in-play orchestration platforms, control planes, and providers.”



Source_link

flyytech

flyytech

Next Post
Lenovo Yoga 6 13ALC7 Review: Well-rounded

Lenovo Yoga 6 13ALC7 Review: Well-rounded

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

Universities and colleges cope silently with ransomware attacks

Universities and colleges cope silently with ransomware attacks

March 14, 2023
Elon Musk says he will resign as Twitter CEO, but not until he finds “someone foolish enough”

Elon Musk says he will resign as Twitter CEO, but not until he finds “someone foolish enough”

December 21, 2022

Trending.

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

October 23, 2022
Allen Parr’s false teaching examined. Why you should unfollow him.

Allen Parr’s false teaching examined. Why you should unfollow him.

September 24, 2022
Review: Zoom ZPC-1

Review: Zoom ZPC-1

January 28, 2023
Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

January 14, 2023
Monitor Events and Function Calls via Console

Set Brave as Default Browser from Command Line

September 29, 2022

Flyy Tech

Welcome to Flyy Tech The goal of Flyy Tech is to give you the absolute best news sources for any topic! Our topics are carefully curated and constantly updated as we know the web moves fast so we try to as well.

Follow Us

Categories

  • Apple
  • Applications
  • Audio
  • Camera
  • Computers
  • Cooking
  • Entertainment
  • Fitness
  • Gaming
  • Laptop
  • lifestyle
  • Literature
  • Microsoft
  • Music
  • Podcasts
  • Review
  • Security
  • Smartphone
  • Travel
  • Uncategorized
  • Vlogs

Site Links

  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions

Recent News

Dynamics SL to Dynamics 365 Business Central Migration 2023

Dynamics SL to Dynamics 365 Business Central Migration 2023

March 31, 2023
BEC Fraudsters Expand to Snatch Real-World Goods in Commodities Twist

BEC Fraudsters Expand to Snatch Real-World Goods in Commodities Twist

March 31, 2023

Copyright © 2022 Flyytech.com | All Rights Reserved.

No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs

Copyright © 2022 Flyytech.com | All Rights Reserved.

What Are Cookies
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT