Security Testing Security Testing-mask

Penetration Testing and Vulnerability Management Aren’t Enough

In this blog, I wanted to provide my view on penetration testing versus vulnerability management and how Continuous Security Validation can complement your armory.

The Pen isn’t Mightier

Penetration tests are often expensive point-in-time assessments, either driven by an annual cycle or by a project-related change e.g. your organization’s latest website, app, or acquisition. Depending on the size of the penetration test, the testers are often working on fixed scopes and tight deadlines, using that particular penetration testing company’s methodology. There are other providers out there challenging this model such as Synack and HackerOne, but that’s for another day.

Vulnerability Management comes at it from a more automated perspective and whilst vulnerability management technologies have come a long way, the core traditional concept remains the same. Run a scan, it tells you your organization runs Y version of X application and therefore you have these potential vulnerabilities which your security team has to trawl through. Often these tools can miss the nuance of configuration issues.

Given that both approaches often require security controls to be weakened to facilitate testing, it does not give you a true view of how secure you are and if a compensating control in place would have stopped an attack. Given that these tests are point-in-time and/or require security controls to be weakened whilst throwing in the mix of the good practice of rotating penetration testing companies, it provides limited assurance against the significant cyber incidents, which change daily.

Closing the Security Gap

So how do you close this gap between expensive point-in-time testing versus assumed vulnerabilities? I believe that is where Continuous Security Validation technologies can help, especially for small to medium enterprises that don’t have huge teams and budgets.

Continuous Security Validation technologies, such as Cymulate, allow you to rattle the front door, back door, and windows continuously and consistently every time a new immediate threat is released. It provides near-time assurance against the latest threats in a way that does not require maintaining your own specialist, internal testing teams, and a mixed blend of tools.

Putting Controls to the Test

The real benefit of Continuous Security Validation is its ability to test your security controls and confirm how effective those silver bullets you bought are. It helps identify vendor flaws, poor configuration, and poor day-to-day management of security tools and IT estate. How many times have you heard ‘we’ll come back to that later’ or ‘BAU teams can pick that up when talking about medium (or lower) rated risks or configuration issues? Once the system or app is live, and the project is closed it is next to impossible to get the resource to address these issues. Using Continuous Security Validation tooling helps brings a threat-lead view to Immediate threats/Purple Team. This style of weakness is helping adversaries achieve compromise going from zero to hero.

Summary

Absolutely there is a place for the security testing methods penetration testing and vulnerability management technologies, as they provide different indicators of performance, such as patching performance. However, Continuous Security Validation technologies can provide a threat-lead view based on industry-aligned frameworks such as MITRE tactics and the NIST cybersecurity framework.

It is worth proof of concept to test your security posture and how effective your controls really are.