GUEST ESSAY: Why ‘continuous pentesting’ is high among the trends set to accelerate in 2023

By Dave Gerry

There is much that can be gleaned from helping companies identify and manage their critical vulnerabilities 24X7.

Related: The case for proactive pentests

Based on insights from our team of elite security researchers here at Bugcrowd, these are three trends gaining steam as 2022 comes to a close – trends that I expect to command much attention in 2023.

Continuous pentesting

For years, penetration testing has played an important role in regulatory compliance and audit requirements for security organizations. However, a longtime challenge with pentesting has been the “point-in-time” nature of the tests.

At some pre-defined period-of-time, the test is completed against the then-current version of the application and a report is delivered. The challenge is that application development has changed significantly in recent years; often by the time a pentest is completed and the report is delivered, the information is already out of date due to changes in the application.

Over the coming year, we will see an accelerating shift from traditional pentesting to more PenTesting-as-a-Service (PTaaS). Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary-evil to maintain compliance with internal or external requirements.

By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround. This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure.

Gerry

It’s important to remember that every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced. Security organizations must maintain the ability to gain real-time visibility into their current posture – both from a risk governance perspective and from a compliance perspective.

Security vendor consolidation

The rapid expansion of new security products has led to many organizations purchasing the “latest and greatest” without having a strong integration plan in place. Without a clear deployment and integration plan, even the best security product will go underutilized.

For the past few years, the industry has seen an incredible amount of M&A consolidation. As a result, security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack.

This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.

Narrowing the talent gap

Attracting strong candidates has always been a core part of any business, and, like all businesses, finding senior talent, whether in cybersecurity or another function, requires a combination of attractive compensation, career growth, flexibility to work anywhere, and a mission that employees want to support.

It’s also important to find talent from non-traditional and diverse backgrounds, provide them with the necessary training and enablement, pay them well with additional equity incentives, and empower them to do what needs to be done.

For years, we’ve been led to believe there is a significant gap between the number of open jobs and qualified candidates to fill those jobs. While this is partially true, it doesn’t provide a true view into the current state of the market.

Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential.

Additionally, this provides the opportunity for folks from diverse backgrounds, who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry providing income, career and wealth-creation opportunities that they otherwise may not have access to.

Organizations need to continue to expand their recruiting pool, account for the bias that can currently exist in cyber-recruiting, and provide in-depth training via apprenticeships, internships, and on-the-job training, to help create the next generation of cyber-talent.

About the essayist: Dave Gerry is CEO of Bugcrowd, which supplies a security platform that combines contextual intelligence with actionable skills from elite security researchers to help organizations identify and fix critical vulnerabilities before attackers exploit them.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone