New pentest certification exam shows just how complicated the job has become

By Bradley Barth for SC Media
Friday, October 29, 2021

• 4.4k
• 36
• 40
• 36
• 22
• More
• 36
• 36
• 36

“Modern penetration testing is pretty different from what it used to be ten years ago,” agreed Ilia Kolochenko, founder of ImmuniWeb. This is for several reasons. First and foremost, "new technologies, spanning from IoT devices connected to the Internet to multi-cloud environments with managed container orchestration solutions, made the reconnaissance, exploitation and pivoting stages of penetration testing considerably more complex and heterogeneous,” he said.

Indeed, "rapid adoption of emerging tech like cloud-native plug & play widgets, microservices, serverless functions, rich JavaScript widgets, etc., is forcing security professionals to think different about how they approach security testing more holistically," agreed Venkataraman. "This means looking at software design, platform configuration, API specs and deployment artifacts – much of which is in the form of 'code' these days. This also means being aware of an application's use of cloud platform controls to be able to look for weaknesses in the underlying configuration that may lead to system-level risk."

On top of tech advancements, pentesters are also facing tremendous scope creep, Kolochenko noted, as they now often have to test “countless systems where corporate data is stored, processed or backed up,” not to mention verifying the security of multiple third-party partners that also possess your data.

Legal and regulatory concerns have increased as well, Kolochenko added. For instance, the act of pentesting a product might violate terms of service as spelled out by certain EULAs.

In recent months, the popularization of cloud-based services – accelerated by the work-from-home trend triggered by the COVID-19 pandemic – has arguably been among the most impactful IT trends affecting how pentesters must perform their jobs.

This development, said Kolochenko, has introduced “a wide spectrum of new cloud-specific misconfigurations and weaknesses, such as IMDS (International Material Data System) exploitation, excessive IAM (identity and access management) policies or poorly configured cloud storage.” Consequently, “one mistake may provide attackers with all the data and full control over the systems available in your cloud environment. Thus, while providing greater capabilities to automate and accelerate DevSecOps and DFIR (Digital Forensics and Incident Response), cloud may also boost the amplitude of cyber risks.”

The same principle is true for containers, Kolochenko added. “They can bring a lot of benefits to your security and resilience, but if developers or sysadmins lack appropriate security training, the novel technology becomes a powder keg ready to explode.” Kolochenko offered some additional suggestions: “Security analysts should consider not just abstracted technical issues but business interests and compliance risks when addressing mushrooming vulnerabilities,” he said. “We cannot detect all vulnerabilities, we cannot fix all high-risk security flaws at once, and we cannot stop all hackers. Risk-based and threat-aware testing and remediation of vulnerabilities is essentially important for a successful cybersecurity program in 2021. Thus, managerial and other soft skills will be priceless for the next generation of cyber defenders.”

In addition, "the approach to program management and vulnerability management to sustain risk assessments across an evolving application portfolio needs to scale," said Venkataraman. "This means carefully choosing the right depth in testing and scanning, but [this] also includes the ability to convey actionable findings 'just in time' to developers within their ecosystem to enable faster fix cycles. Tagging remediation owners within the organization based on type of finding becomes an art that is slowly getting automated through better asset inventory management and better traceability practices." Read Full Article