With enterprise applications defaulting to cloud infrastructure, application security testing increasingly resembles penetration testing on a distributed application attack surface, a similarity that is opening up new markets for penetration testing as a service (PTaaS).
Instead of focusing on the edge of the network, PTaaS vendors are focusing on cloud applications, which typically present three vectors of vulnerability: the application itself, the interconnections between applications, and how the application changes over time. Accelerated development and events like mergers and acquisitions tend to expand the attack surface along all three vectors, but pen testing aims to keep pace with the changes.
Organizations need to lock down their cloud applications because attackers are already looking for remotely exploitable security holes; the average company has 11,000 exploitable stock exposures in a given monthsays Kelly Albrink, associate vice president of consulting at Bishop Fox, an offensive security firm.
“Organizations face attackers with unlimited time [and] large amounts of resources and aim for the lowest results first,” he says. “As these applications are becoming more and more complex and the integrations are becoming more and more complex, this only expands the opportunities for attackers and the ways in which can access an app or, ultimately, any system it is connected to.”
Today Bishop Fox announced its Cosmos Application Penetration Testing (CAPT) service that combines pen testing with on-demand assessment and analytics services.
Cloud deployment has quickly become the standard for enterprise applications. By 2025, 95% of new digital workloads will be deployed on cloud-native platforms, up from 30% in 2021, according to business intelligence firm Gartner. Many of these workloads – up to 70% by 2025 – will not be traditional applications but low-code or no-code applications delivered via cloud services, Gartner said.
The App, the Cloud and the Configuration
The cloud and applications deployed in cloud infrastructure are so intertwined that pen testers must take into account not only the security of the app, but also the cloud platform and cloud configuration of the application, says Caroline Wong, chief strategy officer at Cobalt .io, a PTaaS company.
“Access control and configuration are fundamentally different between network and cloud, and these characteristics need to be tested intentionally,” Wong says. “Cloud adoption leads to rapid increases in both the number of applications in a company’s software portfolio and the frequency of changes for each of those applications.”
According to one study, the majority of security issues discovered during penetration tests (nearly 40%) are server security misconfigurations, such as missing security headers and insecure SSL and TLS encryption libraries. Cobalt’s “The State of Pentesting 2023” report.
From a vulnerability perspective, Cobalt found that stored cross-site scripting (XSS), outdated software versions, and insecure director object references (IDORs) are the most common vulnerabilities. Nearly all (94%) of archived XSS vulnerabilities and 85% of IDOR vulnerabilities are of medium or greater severity.
However, over time, PTaaS customers see fewer medium, high, and critical defects than all detected issues, as more severe issues are detected and resolved, the report said.
Increase pen testing as needed
The line between dynamic application security testing (DAST) and PTaaS has essentially disappeared as applications are deployed in the cloud. In many ways, the definition of enforcement has changed, says Bishop Fox’s Albrink. One of the company’s clients asked the company to test 30 applications, but when they looked at the scope of the pen test, they determined that it was a single application with 30 different microservices, each managed by a different team at the company .
“We generally strongly recommend taking a holistic approach, so that everything an end user can see and interact with is part of the app,” he says. “And that could include API endpoints, middleware, a firewall, [and] dozens of other systems on the back end, but they’re all presented through some sort of single user experience.”
Time is the final axis along which applications change. Security debt is very real, and especially in an agile development group, frequent security and penetration measures are needed, says Cobalt’s Wong.
“For companies that push code weekly or even daily, it is probably not enough to keep up with the speed of change and the likelihood of introducing new security vulnerabilities,” he says. “Every organization will have a limited budget, and we see these changes will result in a change in how security spending is allocated between offensive and defensive security controls.”