3 Key Problems Security Professionals Have With Traditional Penetration Testing

By : Rena Chua | Friday, October 23 2020 - 11:35 IWST

Rena Chua, Bug Bounty Advisor at HackerOne (Photo by Linkedin)
Rena Chua, Bug Bounty Advisor at HackerOne (Photo by Linkedin)

INDUSTRY.co.id - Penetration tests are a fundamental part of any security apparatus, but they’re traditionally seen as a one-and-done annual exercise. You hire a consultant, they run a pen test, you get a report. However, is that enough? With the rise of digital transformation, many companies are finding traditional penetration testing increasingly ineffective.

Penetration testing is a good baseline for evaluating system vulnerabilities and an industry best practice that supports routine security hygiene. Many companies also use pentests to pass vendor assessments and meet compliance standards like HITRUST, SOC 2 and ISO 27001. However, traditional pentests aren’t enough to demonstrate security effectiveness.

Forrester Consulting conducted a “Total Economic Impact (TEI) Study“ on HackerOne Challenge, a time-bound hacker-powered security program. Based on customer interviews, the study identifies 3 key problems with traditional pentesting solutions and evaluates the benefits of time-bound testing using ethical hackers.

1. Traditional pentesting missed critical vulnerabilities

Traditional pentesting was missing critical vulnerabilities and sometimes focused on irrelevant vulnerabilities that would not occur in a real attack, e.g., needing physical access to a machine. This left systems vulnerable and risked breaches that could result in large remediations costs, lost customers and revenue, and reputational damage.

One participant of the study said: “[Pentesting] used to be a frustrating process. What they were finding wasn’t relevant. For example, they said the password was being exposed in the computer’s memory. Why does it matter? If you broke in and got physical access to the computer, you could put in a key-logger. They weren’t finding practical exploits.”

2. Expanding attack surfaces leave security teams stretched thin

Fuelled by the COVID-19 pandemic, companies are rushing to meet remote work requirements and customer demands for digital services. As a result, attack surfaces have dramatically expanded, leaving security teams stretched thin and not staffed to cope.

To illustrate this point, Marten Mickos, CEO of HackerOne recently shared: “Businesses realised that they have been too slow with their digital transformation and cloud migration. HackerOne research revealed digital initiatives had accelerated as a result of COVID-19 for 37% of security leaders in Singapore. Nearly 40% were forced to go through it before they were ready. The strain this puts on security teams is immense.”

3. Creating an in-house bug bounty program would have been too labour-intensive

Several companies looked at creating their own bug bounty programs but concluded that building out the systems and processes internally would have been too costly and time prohibitive. One participant shared: “My predecessor had been thinking about using bug bounties. The prospect of doing it all on our own was daunting, especially when companies like HackerOne offer this service.”

An Alternative to Traditional Pentesting: A Time-Bound Bounty Challenge

Just as bug bounty programs have proven the value of using a large and diverse set of hackers to identify security vulnerabilities on a 24/7 basis, those same hackers can bring their speed and expertise to bear over a set period of time in a time-bound bounty challenge — HackerOne Challenge.

A time-bound bounty program is repeatable as desired and combines structured testing with unstructured ethical hacking, targets designated systems and applications for vulnerabilities. Several of our customers have switched from traditional penetration testing to time-bound bug bounty challenges and one of the common pieces of feedback we get from customers is that they are getting much better results than traditional pen-testing and at a more cost effective price.

The Forrester TEI Study identified the following key results among customers using HackerOne Challenge:

HackerOne found more vulnerabilities and provided better remediation recommendations

The most important benefit was finding more vulnerabilities, both in terms of numbers and criticality, in order to remediate them and create better system security. HackerOne found vulnerabilities across internal- and external-facing systems, websites, mobile applications, and internet-of-things (IoT) devices.

Ethical hackers’ creativity was a major reason more vulnerabilities were uncovered. One participant stated: “We had some vulnerabilities found in our first HackerOne Challenge. We learned a lot from the triaging and created a remediation cycle for high and critical vulnerabilities.” Another participant explained that their “pen tests used to be limited by the skill level of the assigned team. Sometimes they get very settled in how they approached a problem. When you bring in the crowd with HackerOne, you have different perspectives and better results.”

Companies can deliver code faster

Customers eliminated vulnerabilities in development and delivered secure applications to their production environment. HackerOne leverages familiar industry standards — (ISO/IEC 15408) and CVE (Common Vulnerabilities and Exposures) — and applies them with the angle of identifying software vulnerabilities at every phase of the software development life cycle.

By applying security analysis and monitoring at every step, customers were able to ship secure code faster, as one participant indicated “We would need a lot more time to complete on our own what we do with HackerOne.”

The effort to manage pentesting decreased

HackerOne manages the vulnerability testing process to reduce customers’ effort and provide results faster. To illustrate, one participant said: “Traditional pen tests can be very expensive and take months. You can get past a lot of that with HackerOne.”

In summary, the security landscape is ever evolving and organisations will have to step up their game.

Traditional pentesting is no longer sufficient in today’s modern digital world. Focused, time-constrained security testing using the creativity of hackers (HackerOne Challenge) helps organisations find more relevant vulnerabilities and ship secure code faster. With hacker-powered security, organisations pay only for found and validated vulnerabilities, and hackers bring nearly unlimited diversity of skills, approaches, and experience. In other words, organisations get an army of hackers eager to uncover and report bugs of all types.

News Comment

Today's Industry

Ilustration Hackers (Photo by Microwire.info)

Jumat, 30 Oktober 2020 - 11:20 WIB

Organisations Paid Hackers US$23.5 Million for These 10 Vulnerabilities in One Year

HackerOne report reveals cross-site scripting, improper access control, and information disclosure top list of most common and impactful vulnerabilities.

Clean Earth Technologies (CET)

Jumat, 30 Oktober 2020 - 10:30 WIB

Clean Earth Technologies’ New Class Of Polymers Invented By Associate Professor, Justin Chalker, Receives Australian Pm’s New Innovator Award

Associate Professor Justin Chalker has invented a novel class of polymers synthesised directly from elemental sulphur which is a waste by-product of the petrochemical industry and renewable…

SMILE to Empower Smallholders

Kamis, 29 Oktober 2020 - 08:35 WIB

Kao Corporation, Apical & Asian Agri Join Hands to Empower Smallholders with SMILE Program

SMILE or the SMallholder Inclusion for better Livelihood & Empowerment program to help independent oil palm smallholders in Indonesia improve their yields, acquire international certification,…

Industrial Area Ilustration

Rabu, 28 Oktober 2020 - 08:40 WIB

CFLD Develop a Strategic Industrial Area which is Supported by Seven New Infrastructures

Segye ASEAN Forum 2020 which is a series of Indonesian and Korean Manufacturing Industry Partnership forum events held, was attended virtually by more than 500 executives from well-known manufacturing…

Hilton – Asia Pacific (Photo by Hilton Asia Pacific - Posts | Facebook)

Selasa, 27 Oktober 2020 - 15:40 WIB

Waldorf Astoria to Debut in Japan with Milestone Signing In Tokyo

Set to open in 2026, Waldorf Astoria Tokyo Nihonbashi to Offer Timeless Luxury and Unrivaled Service in Japan’s Cultural Capital.