Continuous Pentesting Doesn’t Always Cover All Your Bases
Continuous vs. On-Demand Testing
In a previous article we described the benefits of doing continuous pentesting in a strategic cybersecurity program. Frequent product changes and updates, rapidly changing cloud infrastructures, and a seemingly never-ending train of newly-introduced vulnerabilities all point to the need for continuous vigilance and testing of your organization’s assets. Synack has you covered with Synack365, our program of continuous pentesting.
You specify the organization assets that you want tested and the Synack Red Team (SRT), our highly vetted group of security professionals, tests those assets for vulnerabilities on a continuing basis.
But there are some situations when you just need to run a targeted penetration test, perhaps a single test, a penetration test on a limited set of assets, or a specific test to document compliance. Synack has you covered here too, with on-demand testing. With on-demand testing you can run pentesting to achieve targeted security objectives on a single-shot basis.
Appropriate Pentesting Scope By an Asset’s Risk Level
Constraining a security researcher to a checklist of specific vulnerabilities is not the technique you want to rely on as your only vulnerability analysis. High-criticality assets like web pages and applications that handle sensitive data, databases, and rapidly evolving product developments require continuous testing to ensure that you discover and remediate any exploitable vulnerabilities that arise.
But other assets like boilerplate web pages or those containing information only, and other low-criticality assets don’t require the same level of penetration testing. Depending on your organization’s requirements, a targeted single-shot test may be most appropriate.
On-demand Pentesting Solutions
Using on-demand targeted testing, you can be more precise with the type of security testing you want to perform, based on the asset. If a web page lacks any login functionality, perhaps you want to test a subset of common vulnerabilities that do not pertain to authentication, for example. On-demand tests can uncover a wide spectrum of risks from the Open Web Application Security Project (OWASP) and National Institute of Standards and Technology (NIST).
Here are some situations where it may be appropriate for you to request on-demand penetration testing.
- New or Specific API Endpoints – While APIs often are part of complex assets that demand continuous coverage, sometimes you want to be precise and test a limited scope of endpoints to ensure secure authentication, authorization, configuration and data handling.
- Compliance Testing – Even if an asset is not overly complex, it may require testing for legal requirements. Document security compliance by checking for vulnerabilities like those from the OWASP Top 10 and Web Security Testing Guide (WSTG). Reports can be applied to frameworks like PCI, HIPAA, NIST and FISMA.
- Newly Discovered Exploits – Deploy quick and thorough testing for newly discovered exploits like Log4j, Spring4Shell, and SolarWinds.
- Satisfy New Legal Requirement – Legal requirements are changing more often than ever. Document adherence to security-related requirements with a targeted test.
Requesting Synack On-Demand Pentesting
You can schedule on-demand penetration testing with Synack with the click of a button through your Synack platform window. Clicking on the Catalog tab in the top navigation takes you to the Synack Catalog where you can specify the test or tests to be run and the assets to test. The catalog contains an extensive and customizable set of tasks, or “missions,” that should cover all your on-demand testing needs. The catalog covers controls from NIST 800-53, OWASP Top 10, the Application Security Verification Standard (ASVS) and the Web Security Testing Guide (WSTG), among other frameworks.
Common vulnerabilities include:
- Injection flaws (XSS, SQL, LFI, etc)
- Broken authentication
- Sensitive data exposure
- Known, vulnerable software
- Cross-site scripting
The SRT and Synack Ops team perform the required tests and review the results. Audit-ready report results are then posted in your Synack platform.
Learn More About On-Demand Pentesting
To learn how you can enhance your cybersecurity program with Synack on-demand pentesting, click here.