What are the problems with continuous testing in its current state?
Continuous pen testing in its current state is interesting. Many people have different views on what 'continuous' truly means when it comes to their assessing vulnerabilities in the environment, but there are problems with the scope of perception overall.
Continuous pen testing in its current state is interesting. Many people have different views on what 'continuous' truly means when it comes to their assessing vulnerabilities in the environment, but there are problems with the narrative overall.
The meaning of pen testing is the first area of disparity. Some people see running tests at more regular intervals qualifies as continuous pen testing, when really that's just repeating the same tests repetitively throughout the year. Others view continuous pen testing as a way of stitching together tools and presenting them as a sufficient replacement for pen testing, which is incorrect. Then, there are the people who say "Okay, let's look at bringing in pen testers with genuine intelligence and thought about about when they're needed". These people are arguably, of the three examples, closer to having an understanding of what continuous pen testing actually is.
Think about how you do continuous quality assurance, testing particular features as they're brought into a piece of application. Similarly, continuous patch management is implemented by searching across the entire ecosystem whenever there's an indication of a new vulnerability or new patch. These are all mature ways to go about running continuous systems, but there are still limitations in observability that make these processes difficult.
In order to be able to deliver on continuous pen testing, you need to be able to need to be able to have oversight of the entire technology stack and the entire business. You need to have a depth of understanding that many businesses struggle in accomplishing.
On this note of continuous pen testing, its also worth bringing continuous red teaming and continuous breach and attack simulation into this conversation. There are businesses that are constantly hitting other businesses in order to probe weaknesses and test their detection and response capabilities. This is a valuable service, and there is merit to being able to do that, but these methods are in no way a replacement for genuine penetration testing, which is an approach of trying find vulnerabilities in a systematic way.
Get a Free Trial From Cytix
Haven’t tried Cytix yet? Try our free trial to see how it works.Get a Free Trial
Start Detecting Vulnerabilities Others Miss Today
- Detect Vulnerabilities Faster
- Patch Vulnerabilities Faster
- Be more compliant