Photo by Dulcey Lima on Unsplash

Penetration Testing as a Service

What is PTaaS, and what benefits does it bring to you?

By Felipe Ruiz | September 21, 2022 | Category: Philosophy

More than a year ago, we talked in a blog post about the growing expansion of the pentesting market and how complex it is becoming for organizations to make the right choice of a provider with so many offers on the table. The problem resides in the fact that many of them can be misleading and do not guarantee a sufficient quality that other providers can achieve in this security testing method. At that time, we highlighted some key attributes you could keep in mind to choose a competent penetration testing vendor. Now, we will inform you about a more recent model, penetration testing as a service (PTaaS), in which traditional pen testing is tweaked to have more value within the agile and now popular DevSecOps methodology. Our intention is that you have a clear understanding of what it is and what benefits it offers before you make a decision.

Introduction: What is penetration testing?

As you saw in the previous paragraph, we used the words "penetration testing," "pentesting," and "pen testing." This is common in this context, but they all refer to the same concept: the security testing of information systems by simulating genuine attacks with the authorization of their owners to detect vulnerabilities. Penetration testing is part of an offensive security posture in which the predominant idea is that the best way to deal with malicious attackers is to think and act like them. This is done by security experts, known as white hat testers, ethical hackers or, precisely, pen testers, using various tactics, techniques and procedures. In their penetration and exploitation results, these experts disclose to owners and interested parties where and how to make adjustments to protect their systems.

The continuous progress in cybercrime and the accelerated evolution of technology make it necessary to evaluate system security time and again. Mistakenly, many organizations believe that implementing automated tools is the perfect solution. And that the more tools they have, the better. Automation fulfills the so-called vulnerability scanning. This, however, acts only as a first layer within a strategy of comprehensive security testing. Systems are checked through this method to quickly detect previously known security problems in them. Not including an active layer of human intervention in a security testing project, precisely with manual pen testing, is a blunder.

We ask you to be aware of our emphasis above on "manual." We speak of manual penetration testing because, in the context of cybersecurity, automatic tools are also attributed the capability of performing pentesting. We do not dispute that tools can infiltrate or find their way into various nooks and crannies of a system. But proper penetration testing should not be limited to automation. Pentesting without human intervention ends up being mere vulnerability scanning. In contrast to what ethical hackers can achieve with in-depth inspection, this method fails to report complex business logic and zero-day vulnerabilities. In addition, it yields false positives and false negatives, which professionals must validate.

How is pentesting usually performed?

A penetration testing service can include among its targets web and mobile applications, networks, IoT devices and many other information systems. It seeks to detect problems in user authentication and authorization controls, exposure of sensitive data, secure coding errors and weaknesses in defense mechanisms, among many other security problems. To begin with the penetration, the pen testers must get the approval of the system owner, who may set certain scope limits. Once everything is agreed upon, the pen testers begin a reconnaissance phase.

First is passive reconnaissance, where hackers collect information about the organization and the target without interacting directly with them. What takes place is the use of external and open sources. Then there is active reconnaissance through direct interaction with the target. The pen testers seek deep profiling with more intrusive information gathering. They identify the technology used and how it works. Furthermore, they determine possible entry and attack vectors.

Subsequently, pen testers use scanning tools and manual methods that contribute to the identification of vulnerabilities. They analyze through various factors the level of risk and the impact that may generate the exploitation of each security issue. After all the planning, the hackers try to exploit the vulnerabilities in a creative way (something that an automatic tool cannot do), preferably within a staging environment. They get access to the target with different methods (e.g., privilege escalation and lateral movement), at varying levels of depth, in order to determine real impacts.

Once the task is completed, the pen testers compile their results in technical and executive reports. These present to the stakeholders details on the vulnerabilities detected and exploited, the system's responses to the penetration, the data they accessed and all other information about the simulated incident. Additionally, they provide evidence of the security issues and recommendations for their remediation.

What is PTaaS?

Before cloud computing, pentesting was usually contracted to be carried out as a one-shot assessment between extensive time intervals, for instance, on an annual or semi-annual basis. (However, if they apply it at all, many organizations still request it this way.) In this model, results are delivered to the client only in a final static report that might already have outdated data. Pentest as a service (PTaaS) emerged as a new delivery model for penetration testing to eliminate previous limitations. It's tailored to today's development speed and performed continuously while the software evolves at a certain pace in the SDLC (software development lifecycle). Results are delivered incrementally based on new findings.

PTaaS uses a cloud-based centralized platform where the results can be viewed, monitored and analyzed continuously. The client can achieve successful vulnerability management since this new steady model helps solve the problem of prioritization and remediation caused by the previous model, in which all vulnerabilities, old and new, are left to be reported at a single point in time. Another difficulty solved with PTaaS is the limited or non-existent collaboration between developers and pen testers. The latter can now support the former frequently, resolving their doubts and providing them with remediation recommendations or instructions.

In PTaaS, there must be automated and manual pentesting. This model recognizes that human creativity is still indispensable in the assessment of systems. If it were only the former, we would end up talking simply about software as a service (SaaS). Continuous manual penetration testing is combined with vulnerability scanning to enjoy the benefits of both solutions. Experts and tools can ensure that a wide variety of security testing methodologies are used. While automated tools concentrate on the fast detection of known vulnerabilities, pen testers engage in discovering more complex and even previously unknown vulnerabilities. Pen testers also correlate their results and validate those delivered by the tools making sure that the final report is correct and that nothing was missed.

Benefits of PTaaS

From a proficient PTaaS provider, you can expect the following:

  • An integration of automation and ethical hackers or pen testers that improves the efficiency and accuracy of security testing.

  • A single pane of glass with all relevant data during the penetration testing that gives you broad and convenient control for vulnerability management.

  • The data are always available and continuously updated as your system assessment progresses; a procedure that remains alert to recent changes.

  • Vulnerability remediation can be performed soon after identification, following a prioritization. You avoid going into production with a high risk of being harmed by cyberattacks.

  • Their model enables constant collaboration between the group of pen testers and your team of developers.

  • Once you have remediated a vulnerability, you can request verification of the effectiveness of the implemented solution.

PTaaS by Fluid Attacks

In line with the above, whether you are attempting only to comply with standards such as PCI DSS, NIST, GDPR, HIPAA, etc., or aim for a broader commitment to the security of your company and customers or users, at Fluid Attacks, we offer optimal PTaaS. We test in safe mode (i.e., without affecting the availability of your services) the security of your web and mobile applications, networks, devices, cloud infrastructure and other IT systems. We combine our automatic tools with manual penetration testing by our cybersecurity experts, who have highly reputed certifications and diverse skill sets. In this way, we obtain minimum false positive and false negative rates.

We integrate PTaaS into your SDLC from the start and test your software at the pace of your development team and their micro changes. On our Attack Resistance Management platform (ARM), you continuously receive detailed reports as the assessment advances. These make it easy for you to understand your risk exposure and prioritize security issues for their remediation. Your developers can maintain communication and collaboration with our hackers, from whom they receive clear and tangible evidence and fixing recommendations. In addition, our team offers you unlimited reattacks to verify that your vulnerabilities have been effectively closed. Moreover, our DevSecOps agent breaks the build to prevent vulnerabilities from going into production if they remain open, in accordance with your organization's policies.

This solution is part of our Continuous Hacking service. We invite you to contact us if you are interested in experiencing the benefits of our pentesting as a service (PTaaS). If you want to get started with our security testing services by automatic tools, we have a 21-day free trial of our Machine Plan at your disposal.

Ready to try Continuous Hacking?

Discover the benefits of our comprehensive Continuous Hacking solution, which hundreds of organizations are already enjoying.

Internal CTA
Start free trial