Adoption of DevOps is increasing the rate of software deployment. A recent survey by DevOps Research and Assessment (DORA) and Google Cloud found that elite DevOps performers—nearly 7,000 of the companies surveyed—have 208 times more frequent software deployments than their peers, reaching an average of 1,460 deployments annually. Impressive, right? Not if those companies do not take the proper security considerations into account throughout the software development life cycle (SDLC).
Historically, development and security teams have had difficulty seeing eye to eye—notoriously, development requires speed and security slows things down. But application security, namely application pentesting, is evolving to meet the demands of development teams and break down the barriers to achieve DevSecOps. And automation is paving the way.
Out With the Traditional Way of Application Penetration Testing
When done effectively, application penetration testing identifies, validates, and prioritizes vulnerabilities in your web, mobile, and thick applications. During an engagement, pen testers leverage highly specialized tools, custom testing setups, and real-world adversary techniques to find and exploit application security gaps and support the remediation of the most important vulnerabilities.
Historically, application penetration testing has been viewed as a tool that “checks a box” for regulatory compliance or to meet customer expectations. The process of traditional application penetration testing is static in nature. A team of manual pen testers are hired to find as many vulnerabilities as possible, often delivering the results in a long-form PDF and leaving development and security teams with a laundry list of remediation tasks to complete, often without context. And believe it or not, you can still find this “traditional” way of application penetration testing being done today.
Traditional application pentesting presents several challenges. It is typically completed once or twice annually and can leave critical vulnerabilities unpatched as attack surfaces constantly shift and applications go through incremental changes. There can also be a lack of integrations within the SDLC, slowing remediation and development. Traditional application testing is a lengthy process, given it relies heavily on manual processes—so how can the security industry adapt to keep up with the speed of DevOps?
It is evident that application penetration testing is facing a pivotal moment of evolution, one that is driven by automation to meet the demands of modern software development while maintaining operational efficiencies and mitigating risk.
Achieving Balance Between Manual and Automated Processes
Organizations need to address large volumes of application vulnerabilities and remediate them, but most security teams are faced with doing more with less due to budget restrictions, lack of resources, and time constraints. Automation is critical for handling mundane processes to free up time for pen testers, developers, and others to focus on more strategic activities. When used correctly in application penetration testing, automation becomes a force multiplier. But it won’t find all vulnerabilities.
It is important to note that automation is not a complete solution. Human context is necessary for a successful penetration testing program—you cannot rely on automation alone. In fact, a recent internal NetSPI study provides demonstrable measures on why manual penetration testing is necessary: 37% of critical vulnerability discoveries were found through automated scans, while 63% were found through manual pentesting. You cannot implement automation without manual processes and vice versa.
Automation’s Role in Modern Application pentesting
It’s clear that traditional application penetration testing needs to evolve to catch up to today’s modern application development—and automation is a catalyst for this evolution. Here are three reasons why automation is essential in the transformation to modern application pentesting:
Understand and protect the expanding application security attack surface
Today, most of an organization’s security risk lies in its applications. It’s no surprise that this study on CIO and CISO prioritization ranked automation and application security at the top of the priorities list for 2021.
Plus, the application attack surface is growing. With the serverless concept, an application can be built where we do not have to connect to the underlying OS database aspects of it, expanding the attack surface at the application layer. From a testing perspective, we can keep track of vulnerabilities and protect the growing attack surface through the integration of automated technologies, such as interactive application security testing (IAST) and runtime application self-protection (RASP), into the secure SDLC and penetration testing processes.
To monitor the attack surface, IAST tracks coverage metrics and monitors what has been tested. It also helps identify which new applications may need additional manual penetration testing focus. To protect the attack surface, RASP solutions can instrument an application and have the ability to detect attacks and block attacks at the application layer. Both IAST and RASP are automated technologies that are gaining adoption and popularity.
As mentioned above, traditional application penetration testing is typically done just once or twice each year, or after a major release, to adhere to compliance guidelines. This approach is not effective in managing vulnerabilities, as its infrequency can cause organizations to miss critical vulnerabilities introduced between tests. Continuous testing, or Penetration Testing-as-a-Service (PTaaS), leverages automated testing tools to provide always-on testing of your applications throughout the year. If an organization is already leveraging IAST tools, they can be integrated into the continuous integration/continuous deployment (CI/CD) processes to create continuous security testing using automation.
Address modern SDLC complexity with automated instrumentation tools
Tools that are frictionless to development teams are needed. As an industry, we have used static application security testing (SAST) and dynamic application security testing (DAST) tools for ages, but they are not necessarily built to enable developers. Automated instrumentation tools are the solution to this.
Automated instrumentation tools are very similar to the existing tools development organizations use to calculate and measure performance telemetry. Dynatrace is a great example of this. It is an agent-based solution that is implemented and monitors everything that is happening in a given environment. As an equivalency, IAST gives you security telemetry.
Instrumentation tools, like IAST, allow for visibility into the internals of an application, thus reporting low, if not zero false-positive vulnerabilities. Its integration into software enables it to automatically share updates and new vulnerability findings in real time as a part of a development team’s regular workflow. In other words, it allows security to become an inherent part of the secure SDLC without disrupting the DevOps ecosystem.
In addition, application security teams can use IAST in conjunction with modern pentesting to create efficiencies while lowering application security risk. Pentesting with IAST allows teams to discover critical vulnerabilities that tools cannot find.
What Is Interactive Application Penetration Testing?
Interactive application penetration testing is, simply put, application pentesting with the support of an IAST agent instrumented into the environment of the application being tested. To achieve interactive application penetration testing, an organization requires an IAST agent be instrumented and must give its pentesting partner access to its results.
The upside is that NetSPI’s Resolve™ penetration testing and vulnerability management platform seamlessly integrates with Contrast Security’s IAST tool Contrast Assess. Together, IAST identifies vulnerabilities commonly found by SAST and DAST tools such as the OWASP Top 10—or “low-hanging-fruit” vulnerabilities—giving manual penetration testers the time to test for vulnerabilities that tools cannot detect, such as authentication and authorization issues, business logic flaws, and creative exploits of functionality within an application.
Traditionally, pentesters spend a significant amount of time getting dynamic scanning tools to work and triaging their results, then performing additional manual tests. In the case of manual tests, pentesters must still look for the common vulnerabilities that a DAST tool may have missed.
Due to the high accuracy of an IAST tool, penetration testers gain the ability to focus on real vulnerabilities. With a high level of confidence, pentesters can focus on analyzing application behavior, the business functions it supports, and how to make an application misbehave versus spending time looking for common vulnerabilities such as SQL injection, cross-site scripting (XSS), etc. A human should not have to look for these common vulnerabilities, because an IAST tool should find them.
Interactive application penetration testing reduces the cost of pentests because it requires less time and resources to complete the assessment. It also enables higher quality pentesting results, notably when leveraging continuous testing, because it allows testers to focus their time searching for the creative, meaningful vulnerabilities.
Lastly, when IAST is adopted as an integral part of the secure SDLC, the agent is included in the day-to-day development activities. So even when penetration testing is not being done, an automated analysis is happening all the time and will notify security and development teams of new vulnerabilities in near real time. It’s a way to break down barriers between the security and development teams while also taking a major step toward achieving efficient DevSecOps.
For more details on how IAST can be leveraged to enhance penetration testing, register for our upcoming webinar—"How To Streamline AppSec With Interactive Pentesting.”