Introducing Interactive Pentesting: Human Experts Augmented With IAST

In 2008, Brian Chess declared the impending death of application penetration testing. He believed that pentesting, as everyone knew it back then, was in its final days – about to die and come back as something else. He likened it to the ubiquitous personal digital assistants (PDAs) of the early 2000s – disappearing in form, while the key functions were reborn in modern smartphones.

Pentesting Remains Alive and Well

But more than 12 years since Chess predicted the imminent demise of pentesting, it continues to thrive in almost exactly the same form as before. This is because penetration testing examines a target environment as a whole – looking into complex or fundamental vulnerabilities that scan-based tools cannot find, such as business logic flaws, poor separation of duties, or ineffective network segmentation. Pentesting can offer tangible ROI in terms of breach prevention, compliance reporting, and ongoing security metrics.

The objective of pentesting is to simulate attacks on network infrastructure and applications in order to test defenses and find vulnerabilities.

• Network penetration testing targets network and host configurations to verify patches and other vulnerability checks.
• Application penetration testing focuses on testing custom applications, such as web applications, application programming interfaces (APIs), and rich-client applications.

With application pentesting in particular, a typical engagement involves a small team that spends a week or two focused on a specific application. Because of the long delays and natural bottlenecks associated with the process, organizations generally save these tests for the end of the software development life cycle (SDLC).

Feeding the Need for DevOps Speed

In the early 2000s, pentesting traditional monolithic web applications was relatively easy. Anyone with a proxy and the OWASP Testing Guide could find a wide range of issues. However, since that “golden age” of pentesting, software development has accelerated dramatically.

An astounding 92.7 billion lines of code were written in 2020 alone. Today’s software applications have become much larger, more complex, more interconnected, and far more critical to the individuals and organizations that use them. The majority (79%) of DevOps teams report that they are under increasing pressure to shorten release cycles – and 80% of teams deploy code to production at least multiple times per week. Indeed, modern development pipelines are designed to deliver software not in days or even hours – but in minutes.

How Can Pentesting Keep Up With Today’s Development Cycles?

1. Start with threat modeling

Traditional pentesting efforts are often poorly prioritized and directed. Rather than focusing on finding the most critical risks, they simply use a checklist or a specific set of tools. For modern applications in particular, threat modeling can help drive testing priorities by identifying key security and privacy concerns. The Threat Modeling Manifesto is a great place to get started.

2. Partner with development

Effective testing requires detailed information about how the application works and the ability to leverage the quality-test infrastructure to generate and modify application traffic. The fastest way for application security to do this is to partner with the development team. Here, pentesters should strive to work with developers to understand an application’s unique complexities without compromising their independence.

3. Stop competing with tools

Pentesting should be part of a “balanced breakfast” of testing techniques. Do not waste precious pentesting hours on things that have been already thoroughly tested with other techniques, such as interactive application security testing (IAST). Focus manual testing efforts on the specific areas where other application security tools are weak, like authentication, access control, and use of encryption. Track your route coverage to make sure you have thoroughly tested all the applications or API attack surface.

4. Embrace continuous testing

DevOps and Agile workflows have been widely embraced to accelerate release cycles and the amount of new code being written. Modern SDLC pipelines often deploy code to production many times each day. There is simply no way to perform traditional penetration tests before release without disrupting workflows and severely slowing down the SDLC. To reduce the time between deployment and testing, organizations must consider more scalable approaches that can run continuously.

5. Adapt to modern application complexity (APIs, microservices, serverless)

Today’s cloud-native applications can be difficult to test. Authentication schemes are complex and rapid request rates make interception difficult. For example, APIs do not just use HTTP with simple payloads. They also use things like JSON, XML, and serialized objects. And API security has become particularly important – specifically, APIs serve as gateways into an enterprise (making them popular targets for bad actors). Further, as modern pentesting requires tools that generate attack traffic across all the distributed parts of the application, it may take time to understand these communications and gain comprehensive visibility.

6. Understand open-source libraries and frameworks

Similarly, there is complexity on the server side. The vast majority of applications (94%) rely on open-source components, each with an average of nearly 700 dependencies that present potential vulnerabilities. For example, the newly discovered dependency confusion attack can leverage an open-source ecosystem flaw to upload malware to repositories, which then get automatically distributed downstream into internal applications. To address these sorts of issues, a pentesting team must quickly understand the application framework, how it routes to code, and how built-in security defenses are supposed to work.

7. Leverage instrumentation

Organizations can dramatically accelerate penetration testing by getting visibility into exactly what happens inside the application code or API when an attack is sent. Security instrumentation tools (like IAST) are very effective at tracking things like data flows, control flows, backend connections, and configuration files. Application security teams should install an agent before starting pentesting, which can then provide an inside view of all actual vulnerabilities present in the code during the application runtime. This visibility can dramatically accelerate penetration testing coverage and accuracy.

8. Deliver security test cases

Communicating with development teams and other groups that need to know about security is tough. Rather than delivering a traditional PDF report with arcane findings, application security teams should consider using Jira tickets to make their recommendations easier to consume. Even better, application security teams can deliver findings as test cases that run continuously with every build to prevent future instances of each discovered vulnerability from ever reoccurring. Security that natively integrates with ticketing systems can have an even broader impact – helping to improve the accuracy of testing, incentivize the remediation, and accelerate development cycles – all while helping to deliver secure code to production.

The Evolution of Penetration Testing

Ideally, the goal of modern pentesting should be to figure out new application technologies and how to test them for vulnerabilities. Penetration testing teams should be the advance guard for SDLC – driving the state of the art in security forward. But there simply are not enough skilled individual application security researchers to perform penetration testing on everything. So, we must continuously take the manual test approaches designed by penetration testers and support them with automation.

That said, unlike premature prognostications a decade ago, penetration testing is not on its deathbed. In one form or another, it will always be a valuable part of application security. And as applications continue to expand and grow more complex, security must evolve pentesting for each new layer that is added.

For more details on next-generation pentesting, make sure to register for the upcoming webinar – “How to Streamline AppSec with Interactive Pentesting.”