The Pentesting Process Re-defined
While annual penetration tests, monthly security scans and audits have their place, our solution is designed to bridge the gaps not covered by these security controls.
Why Current Industry Practice is not Enough
While it is unreasonable to assume your company will ever reach zero percent risk, it's also unreasonable to assume that your current security program is adequately protecting your company's digital assets by paying for one pentest per year.
Before making the case that current industry practice is inadequate, let's take a step back and look at the main causes of data breach.
Pentesting is typically done once or twice a year, but these sources of breach listed above are happening throughout the year. Monthly or weekly vulnerability scans can reduce the window of exposure between pentests, but if scans were enough, then we would purely rely on scanning and not do penetration testing at all.
PCI and other compliance standards advocate security testing after making significant changes to your environment. Paying for a full pentest after each change would be very costly. You wouldn’t want to test the entire environment either, just the part that changed. So, then why not use an on-demand service model that let’s you pay for testing incrementally as the company grows and adapts?
In general terms, the industry needs solutions that help them to identify security issues as they occur, so that the underlying processes can be improved. Testing annually is not a super effective approach.
Pentesting as Changes Occur
This really is the holy grail or goal to strive for. Ideally, you have processes and programs that cause this to happen, but in reality organizations are not typically mature enough, because they are focusing on the real issue at hand, running their business!
Again, this is where you must find the right balance to both grow and develop the organization while keeping the company secure. This is where proactive monitoring and semi-automated penetration testing can greatly improve the security of your organization!
You must first understand what you need to protect. This should above all, be your number one objective!
Besides knowing what you have, you must understand the level of risk for each asset. Controls vary widely depending on what you want to protect.
Continuous monitoring of your environment allows you to detection vulnerabilities and configuration mistakes as they occur.
Digital Life Cycle
Once new assets are detected, it is important to have those systems tested for security issues. The Reconcilor helps network administrators track their testing and remediation efforts.
Reduce your overall exposure by implementing a no-fail security model through strong process design, while maintaining your compliance requirements in throughout the entire cycle.
Protects against unknown risks and gives and extensive pictures of your internet facing systems as well as third party exposure.
Risk = Rate of Change X Process Design
The more successful and ambitious companies become, the level of risk inherently goes up. This is because the faster the rate of change, the more error prone we become.
The natural response is to layer control upon control to make sure mistakes are kept to a minimum. It takes time and experience to find the right balance. This is where expertise can be valuable! Why waste months and/or years trying to develop and define processes when they may already exist?
Attack Surface Mangement
A righteous Attack Surface Management program takes all of these things into consideration, and establishes an integrated workflow that enables security as part of the digital asset life cycle.
The following components should be part of every Attack Surface Management Program.