So You Delivered Your Report, Now What? The role of pentesting in continuous validation By Dan DeCloss, PlexTrac Founder/CTO We all know that delivering the final pentest report isn’t the end of the road. It’s really just the beginning — and it should be. Annual pentests are becoming a thing of the past in favor of strategies that involve shorter iterative cycles of testing, remediation, and validation. So where does pentesting fit into a continuous validation paradigm? By merging the pentesting and continuous validation life cycles, pentesters can deliver more value post-engagement and set the stage for their organizations or clients to conduct more frequent, more productive pentests. The penetration test life cycle: The end is just the beginning Delivering the report is not and should not be the end of the pentesting life cycle. Even for pentesters working at service providers who do not handle remediation, your expertise should at least inform the read-out and any necessary validation of your findings. We are all familiar with what happens when the pentest ends abruptly with the delivery of a 300-page PDF report — we find the same issues again the next time we test. The pentester can and should do more. Intentionally merging the pentesting life cycle with a continuous validation strategy can exponentially increase the value of pentesting in organizations making and demonstrating progress. Head toward the larger goal of pentesting The first step toward merging pentesting into a continuous validation strategy is to go back to the primary purpose of pentesting: helping the organization actually get better. We do this by proactively detecting vulnerabilities so our clients or organizations can more effectively prevent compromise. Continuous validation is a strategy to help organizations make and measure their progress toward this goal — the primary objective of pentesting. Therefore, pentesting and continuous validation, regardless of whether the pentesting happens internally or externally, are complementary activities. Race on the same track with the defenders The key is thinking about value beyond the delivery of a static report. Instead of a linear point of view with the report as the final deliverable, pentesters should think cyclically, remembering that remediation and validation need to happen — even if they aren’t directly involved. How we communicate the results of the pentest takes on a different dimension when actively accounting for those trying to put the information to use. When we break down the ingrained siloes between the teams, it opens up opportunities for pentesting to play a more active and valuable role in the greater security life cycle. Educating, prioritizing, validating, retesting, and advising become important aspects of the penetration test in addition to planning, exploitation, and reporting. This broad view of pentesting opens the door to more interactive and focused testing like purple teaming, threat-informed pentesting, and, of course, continuous validation. The continuous validation life cycle: The fast-track to improvement The concept of continuous security validation recognizes that security is an ongoing process, not a one-time event. Continuous validation involves shorter testing cycles that align with the dynamic nature of cybersecurity. This methodology involves testing, remediation, and validation as an iterative process, rather than an isolated annual event. Because continuous validation involves short, focused cycles, programs can move more quickly than in a traditional paradigm and realize and measure results in real time. Leverage pentesting to deliver continuous validation Rather than just serving as a comprehensive annual checkpoint, penetration testing can play a larger role in helping organizations achieve continuous validation. The goals of continuous validation include: Proactively identifying vulnerabilities Detecting and responding to threats Ensuring compliance Adapting to emerging risks Validating remediation success Enhancing overall security posture Pentesting can help in all of these activities. Strategically leveraging pentesting more frequently and in more targeted and collaborative ways supports each point in the continuous validation cycle. Supercharge continuous validation with more pentest activities Full-scale pentesting engagements are the gold standard but aren’t necessarily agile enough to support the fast cycles of continuous validation alone. Augmenting continuous validation with other pentest activities such as PTaaS, BAS, continuous validation solutions, threat-vector-based pentesting, purple teaming, and tabletop exercises provides targeted findings and clear direction on how to remediate and what to validate. These supplemental automated and targeted pentesting activities can happen on an ongoing basis to ensure findings are prioritized and tracked. Conquer the last mile of continuous validation The in-depth, manual work performed by a skilled pentester is still crucial in a continuous validation model, even with automated processes and tools. In fact, manual validation of remediation helps conquer the most difficult stage in continuous validation — the last mile. Verifying that fixes were successful and comprehensive is what continuous validation is all about. Retesting and validating with pentesting both closes the loop and provides direction for future testing as the cycle begins again. This more collaborative and ongoing pentesting can be implemented by adopting continuous validation principles. For example, workflow automation (JIRA, SNOW, CI/CD, etc.) that helps track remediation in the continuous validation cycle can also help pentesters communicate findings more rapidly and collaborate more effectively with clients or internal stakeholders. Streamlined pentesting cycles reduce mean time to remediation and enable the iterative progress that makes continuous validation valuable. The merged life cycles: The key to accelerating success Pentesting and continuous validation are complementary security activities that together can truly improve the posture of organizations. Pentesting focused on supporting continuous validation can add more value to internal teams and support more strategic and frequent service offers for clients. Pentesting that extends beyond the report to strategically support each stage of the continuous validation life cycle requires a programmatic approach and strategic partnership with all stakeholders. It’s hard, but well worth the effort. Find out how PlexTrac helps security teams achieve continuous assessment and validation with workflow automation. Dan DeClossPlexTrac Founder/CTODan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.
Introducing Plex.AI: Your Sidekick for Even Faster Pentest Reporting Introducing Plex.AI: Your Sidekick for Even Faster Pentest Reporting PlexTrac already cuts pentest reporting time by 50 percent, but we’re about to bring you even more speed. introduction of Plex.AI –... READ ARTICLE
Defending Against AI Attacks AI challenges and opportunities for black hats, white hats, and blue teams READ ARTICLE
ANNOUNCEMENT New! Streamline Pentest Reports With Plex․AI.· Learn more >> ANNOUNCEMENT New! Streamline Pentest Reports With Plex․AI.· Learn more >>