Not too long ago, in August 2021, Conti operators successfully targeted SAC Wireless, a U.S.-based Nokia Subsidiary, with a ransomware attack. After an internal investigation, SAC found a laundry list of vulnerabilities in their security system that the Conti hackers could take advantage of. These were vulnerabilities that could have been proactively identified and addressed before the data breach ever occurred.
Enter Pen testing-as-a-Service (PtaaS). Through PtaaS, it is possible to pinpoint vulnerabilities – like the ones exploited in the Nokia attack – and stop cybercriminals before they even have a chance to exploit them.
In a virtual interaction, Minu Sirsalewala, Editorial Consultant, CISO MAG, and Eric Brinkman, Chief Product Officer at Cobalt, discussed how identifying security vulnerabilities early is more important than ever. Brinkman also opined how PtaaS providers have become a critical component across all security programs.
As the Chief Product Officer at Cobalt, a PtaaS company, Brinkman leads product vision, enhancing the existing suite of offerings and identifying innovative ways to meet and exceed the needs of current and future customers.
Brinkman is a seasoned technology industry veteran with 15 years of experience driving and sustaining long-term product growth. Previously, as Senior Director of Product at GitLab, he founded the company’s first growth team, which evolved into a critical component of the company’s business approach. He built and managed product teams that innovated on widely successful GitLab product features and functionalities and developed new product areas such as Compliance Management, Design Management, Requirements Management, and Quality Management. Notably, Brinkman led the product team that secured GitLab’s placement on the 2020 Gartner Magic Quadrant for Enterprise Agile Planning Tools.
Excerpts from the interview follow:
What is the importance of preventive security measures? Can you explain why they have gained so much importance in the past year?
SolarWinds. Colonial Pipeline. Kaseya. Robinhood. Cyberattacks have been growing in frequency and intensity over the past decade, and they have only increased since the onset of widespread digital work. Now more than ever, organizations everywhere feel the pressure to implement comprehensive security strategies fast to avoid becoming the latest cyberattack headline.
The shift to, and complexities of remote work, have underscored the importance of proactive, preventative security measures. Organizations must know and secure their assets — only then can they find and fix vulnerabilities before an attacker breaches their systems.
According to a Cobalt survey of 600 IT security professionals, pen testing provides businesses greater protection against malicious attacks. In fact, 78% say that the more pen testing they perform, the more their organization’s attack surface decreases.
How is PtaaS changing the way DevOps manages security?
Security and software development professionals almost universally see pen testing as a vital component of the application and network security programs. However, few organizations can perform as much pen testing as they want or need due to budget limitations and inefficiencies in the traditional pen testing process.
The most common approach to pen testing today is engaging a third-party consulting firm with an IT practice to provide a pen testing team for a specific test project. These engagements provide valuable input, but security teams find them to be slow and expensive. Pen test-as-a-Service (PtaaS) has emerged as an innovative approach to cybersecurity threat detection and remediation.
PtaaS takes these benefits to the next level, allowing organizations of all sizes to manage a scalable, efficient pen test program with on-demand access to expert security talent and a modern SaaS delivery platform. PtaaS enables DevSecOps teams to secure their code faster, integrating security and development tools and real-time collaboration with pen testers.
How well is PtaaS integrated into the system as a best practice?
Organizations must stop viewing pen testing as a manual add-on to their security processes and instead integrate PtaaS into their technology stacks from Day 1, using it as a core component of their security systems. No one tool or tactic alone can provide the defenses organizations need to fend off cybercriminals; it takes a layered approach to create an effective security program.
PtaaS changes how pen tests can be integrated into the SDLC by allowing for programmatic access of vulnerabilities discovered during the pen test via native integrations or APIs to be placed in context with the teams tasked with fixing those vulnerabilities.
With businesses becoming more agile, how has traditional pen testing evolved to integrate with the complex technical environment?
In June 2021, Cobalt launched its public API that allows customers to easily integrate their pen test data into other tools within their technology stack, such as GitHub, Jira, and Slack, enabling streamlined workflows and a dynamic analysis of their security programs. This addition was a critical step in Cobalt’s mission to advance traditional pen testing by enabling teams to manage their data more easily and build a holistic view of their vulnerability and application landscape. This is just one example of how Cobalt is modernizing traditional pen testing.
What key factors are driving PtaaS adoption?
With a new cyberattack making headlines almost every day, organizations have never been more aware of the critical need for a comprehensive security strategy. No one is immune to cyberattacks; that is why proactive, preventative testing is critical for enhancing an organization’s security posture.
Business and security leaders are turning to PtaaS in droves because it offers a more efficient and cost-effective pen test process. They can closely monitor testing progress, as well as catch and remediate vulnerabilities quicker than ever before.
Also, depending on the industry that a company operates in, there can be varying degrees of mandates that require pen testing. PtaaS allows companies of all sizes to effectively meet these requirements.
What are the benefits of PtaaS?
PtaaS delivers all the benefits of manual pen testing in a unified platform with the added benefits of integrations and automation. As security threats continue to get increasingly more sophisticated, PtaaS offers a faster and more thorough process for security testing and vulnerability discovery.
Cobalt’s new “ROI of Modern Pentesting” report found that traditional threat detection, via a consulting firm, is no longer cutting it. Using old-school pen testing, most organizations (83%) test critical assets only annually, leaving notable gaps in their security posture for attackers to exploit. This could leave organizations vulnerable to attacks. PtaaS allows for more flexibility and lower costs, meaning organizations can test their assets more frequently, decreasing the risk of vulnerabilities going undetected.
Is there an overlap of the PtaaS model with the SaaS model?
Great question! Just as the name suggests, PtaaS is a modern approach to pen testing, implemented via the SaaS model. PtaaS allows for on-demand test scheduling, seamless integrations, and automated workflows. Its benefits also include direct pen tester collaboration and communication capabilities and more robust reporting.
Typically, what challenges do organizations face while adopting the PtaaS model?
I think one of the biggest challenges right now is awareness. Many organizations have yet to learn about PtaaS, so that education piece is crucial. Over the years, we have seen many companies do proof of concept contracts and then later expand and renew for multi-year contracts once they have experienced the benefits of PtaaS firsthand.
Could you share incidents where pen testing could have proactively identified and addressed vulnerabilities before a data breach ever occurred?
Finding vulnerabilities is important but fixing them is often where organizations with an immature DevSecOps culture fall short. Automated scanners typically throw off tons of alerts, but it can be overwhelming for a development team to know where to start, even if they were really motivated to fix them. Pen testing helps provide human judgment and can assist with prioritization. PtaaS is designed to integrate into the development process.
Checking your cybersecurity defenses regularly is imperative because it will give you the opportunity to pinpoint and prioritize vulnerabilities — like the ones we often hear about in the news — and the chance to stop cybercriminals before they even have a chance to exploit them.
About the Interviewer
Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.