Traditional penetration testing (or pen testing) has five stages.
During the first stage, the pen tester gathers information about the company — list essential assets and software of the company.
The second stage is all about getting a sense of the company’s possible weaknesses via scanning.
The third is the evaluation of the flaws in the system.
In the fourth stage, the pen tester exploits detected weaknesses as a black hat hacker would.
The fifth stage is gathering all the insights in a report.
Traditionally, the company would receive a report, a diagnosis describing the state of the security, only one month later.
The problem is — modern security landscapes change in minutes. This means that the report would come in 30 days too late.
After 30 days, the report that suggests how to repair the major weaknesses within the system probably no longer reflects the current state of the security.
It’s estimated that a new cyber attack occurs every 39 seconds. Many of them include new techniques that can’t be blocked by the security points that a company has to guard its most important assets.
To keep up with such a high frequency of cyber breaches and exploits, companies have been using a tool that tests their security on the same principles as pen testing, but with the use of automation — it’s known as Breach and Attack Simulation (BAS).
There has been a lot of discussion over how BAS killed the pen test.
But does it hold any water?
Here, we go over the key advantages of the BAS tool vs pen testing and discuss the future of manual security testing.
Reducing the Cost of Security Testing
A big advantage of cloud-based BAS is its lower cost compared to traditional pen testing.
On average, traditional pen testing can accumulate costs between $2000 and $100,000 depending on the type of evaluation and the size of the company.
The high cost of traditional assessments is due to hiring the experts — white hat hackers who specialize in pen testing.
BAS, on the other hand, provides a tool that can be used even by security team members that don’t have the same skills as seasoned professionals.
Some BAS providers even allow the renting of the tool for companies that want to perform a one-time test with this automated solution.
Even more, the BAS tool cuts the cost for the company in the long run by helping them to nip the threat in the bud — uncover and fix issues early and avoid costly cyber attacks.
Evaluating Security in Real-Time
A lot has changed from the first penetration tests that would aid businesses to evaluate networks.
Annual or biannual pen tests don’t cut it against cyber threats that are growing both in frequency and complexity.
The BAS tool aids companies to keep up by repeatedly scanning and testing the company’s systems with simulated attacks.
It can be set to run in the background 24/7, performing chosen tests that are likely to compromise the organization.
With every testing cycle, security teams will know if the patches they have applied truly worked and if there is a possible vulnerability that could be exploited by hackers.
For example, the BAS can be used for the simulation of continual phishing attacks that often target the employees within the company.
Patching up Security Before It’s Too Late
Since the testing is simulated and done non-stop, security teams can prioritize their patching schedules and tasks according to the latest data.
As mentioned, BAS tests portray the image of the company’s security in real-time. It can tell teams whether the security controls are used incorrectly (misconfigured) or if a bug in the code of an application has created an unintentional pathway that grants illicit access to accounts.
Since this solution was created to be user-friendly and easy to use by companies, any security team member can use its insights to see if the hacker can successfully get into the network.
Accurate and comprehensive data aids security teams to decide on their next steps and react early — before a possible cyber incident occurs.
Assessing the Network Against New Threats
New zero-day vulnerabilities could compromise the network in between traditional pen testing.
So could advanced hacking, bad actors that have been observing the organization for months, looking for a way to get into the system, compromise the data and misuse other assets of the business.
BAS relies on the MITRE ATT&CK framework — the ever-growing library of the latest attacks that compromise networks.
MITRE features actionable advice on how to prepare for the listed threats and fight novel and old hacking techniques.
As a result, the BAS solution is continually updated to find the latest exploits that have been detected in the wild.
Has Pen Testing Kicked the Bucket?
Companies might still use pen testing services to achieve compliance or to do tests for legal purposes.
For instance, some companies are legally required to perform the pen test once a year or assess the application that is about to be launched on the market.
That being said, overall, BAS killed pen testing in that it requires less skill, and efficiently evaluates whether current levels of security can defend an organization against well-known threats.
BAS automated processes that uncover weaknesses in the security that create pathways into the organizations.
As with any kind of automation, it saves professionals from doing repetitive tasks and creates more space for them to dedicate to more complex challenges — such as threat hunting and fighting more sophisticated attacks.
The fact that some forms of pen testing are dying is not necessarily a bad thing. It’s actually a way of moving forward.
