The Gold Standard of Continuous Pentesting

Taking what’s great about pentesting and making it better

Nearly everyone agrees that penetration testing is key to ensuring your security controls are effective, pointing out where gaps lie, and confirming you are meeting compliance requirements. But a once-a-year pentest is no longer sufficient in the rapidly changing threat landscape. A continuous model is quickly becoming more and more essential but also more and more doable for teams. 

Tom Eston, VP of consulting and Cosmos at Bishop Fox, joined Dan DeCloss, founder and CTO of PlexTrac, for a Friends Friday episode on their mutual support of continuous pentesting as the gold standard model to maturing security posture. Watch the episode for pro tips for teams on how to actually adopt it. 

Tom’s work over his 18 years in cybersecurity and offensive security has focused on application, network, and red team penetration testing as well as security and privacy advocacy. He has led multiple projects in the cybersecurity community, improved industry-standard testing methodologies and is an experienced manager and leader. He is also the founder and co-host of The Shared Security Podcast, one of the longest-running casts in the industry.

Watch the full episode or read on for the highlights.

The evolution of pentesting and the cybersecurity industry

“I think the evolution of pentesting is just been a lot of growing up,” said Tom. Tom and Dan kicked off the episode with a historical look at pentesting, as both have deep roots in the craft. They discussed how it is continuing to evolve in terminology, automation and tooling, and methodology. 

Tom explained the challenges of creating a shared vocabulary as a foundation for maturing penetration testing and understanding of it in the industry. “Everything is a ‘red team’ these days, right? And the term ‘red team,’ it’s not the correct term for every single type of penetration test. It’s kind of like back in the day when we would have arguments over vulnerability scanning versus pentesting — two different things. And then we have to explain, we have to, like, give examples. And now it’s like red teaming is not the same as penetration testing.” 

Dan agreed and commented on the value automation has provided to the growth of pentesting. “And then what you also alluded to is like that, that hackers, you know, naturally are lazy. It’s like if I have to do something twice, I can try to automate it. Right? So, I think that’s what we’ve seen, how the industry has evolved. I think the low-hanging fruit really has become a lot more automated. Right. Being able to find, the low-hanging fruit, so it does free up the more of the mental capital on the really complex exploitation to a degree.” 

Tom replied, “And that’s been a good thing, right? Like I’ve always been a proponent of, from a manual pentesting perspective, we should spend more of our time looking for the things that automation does not find or does not find very well. You need the expertise and you need the talent to really discover those things. Nowadays, there’s even more automation that can start to discover and start to assist the pentester is how I look at it.” 

The growing need for frequent, focused pentesting

With the growth of automation and AI has also come an explosion of threats and breaches that organizations must contend with. Dan and Tom discussed this growth as the catalyst for continuous pentesting becoming the gold standard model. 

Tom said, “And I think organizations are struggling right now with the rate of exploitation and how quickly things are discovered, and exploited. And the next thing you know, you’ve got ransomware you’ve got to deal with. And so pentesters, we have to evolve as well. One time a year is usually not enough for an organization from a testing perspective. And so I think we’ve all adopted more of the mindset of doing pentesting on a continuous basis. I mean, this is nothing new, right? We’ve been talking about this kind of thing for years, but I only think in the last couple of years, maybe five years or so, that we’ve seen the way we do continuous penetration testing really start to take hold. There are a lot more vendors in the space, obviously, but I think pentesters and pentest teams are starting to change their methodology and change the way that they do things.” 

Tom went on to describe and define the concept of continuous pentesting. “I see it more now of like you’re actually doing like breach simulation. You’re taking things to the next level. You’re doing these things on a more continuous basis and you’re really focusing the testing on the organization’s risk or the riskiest assets. And so when I think of continuous pentesting, I think of asset management understanding where your assets are, understanding the vulnerabilities of those assets and then really focused and then doing targeted testing on that continuous basis. So it’s, you know, you’re, you may be doing one test at one time, but there may be other testing that’s overlapping that existing test. You’re doing something continuously.” 

Dan added, “I think that what has excited me is like, what you alluded to over the last five years, it does feel like the message is coming through. Again maybe I’m sitting in an echo chamber here, too, but I think that most people recognize the value of penetration testing. And that it’s highlighting some of the key, the most sensitive and high, highly critical risks in your environment because they can be exploited. But also the fact that, like, yeah, that’s really valuable, but it can be expensive if you don’t, like, plan for it the right way. And there are some economical and resource-friendly ways to do that, not purely through automation, but like an augmented mixing manual testing, whether that’s internal or contracted service with automation.” 

How to get started with a continuous pentesting strategy

After making the case that continuous testing is both valuable and necessary, the episode concluded with tips for getting started in implementing a continuous testing model. 

Tom said, “I would say start small is my first recommendation. I’m a big fan of doing your one large initial assessment of an application. Then you do delta testing throughout a set period of time where you’re capturing changes. You’re building that alongside the development lifecycle when new releases come out and you’re doing very specific targeted testing, which seems to work a lot better than just doing one full pentest every time on the same stuff. And there’s now some technology that can help with that of doing better kind of delta testing, which we’ve seen.”

Tom continued, “The other point to make too, because I mentioned the developers, especially in application security testing. I advocate talking to your development teams and understanding their development lifecycle. The security team needs to be aligned with your development team and have a good relationship where you’re talking about, hey, we’re going to implement a continuous pentesting program and viewing them as a partner in that versus, ‘Hey, we’re the security team. We’re doing continuous pentesting. Here you go. You just have to comply.’ That’s not a good way to do it. So I see a lot more success when the security teams are partnered and have great relationships with their development teams that will go a long way.” 

Dan concluded, “I think those of us that have been around the security industry for a long time probably experienced a lot of the tension that, especially early on when we were trying to convince people to invest in security, and I think we’ve all learned that coming at it from a partnership perspective — like, hey, we’re all help — is much better. We’re all here on the same mission.” 

Follow PlexTrac on LinkedIn for more informative and entertaining PlexTrac Friends Friday casts with top industry leaders and influencers.