Better Security through Continuous Testing
Posted by: Todd Salmon
Published 11/2/2021, 10:00am
It’s the fourth quarter of the year, and for penetration testing teams the world over, that means the scales of work-life balance have tilted drastically farther towards “work” than they already did. As companies and organizations scramble to get final assessments in so they can plan the projects that will kick off the new year, pentesting teams quickly find themselves at or above 100% utilization. But why do we do this? It’s not like all the new vulnerabilities and exploitations have been saved up all year, waiting for the magic moment when September 30th turns into October 1st to be released onto the world.
I started my career in cybersecurity over 30 years ago in military intelligence. Over time I’ve moved from contracting, to corporate work, to consulting, and back again, working my way from systems engineer to global CISO as I established and ran security practices for companies. I’ve seen it all, and a consistent theme across my entire career has been the lack of resources available to cybersecurity and the impact that shortage of talent has on operations. For example, I took over as CISO at a company immediately after a major breach, and testing became an instant priority. But even 15 years ago, I faced the same challenges CISOs face today: I wanted to test my environment thoroughly and I wanted to find as many vulnerabilities as possible, but there just weren’t enough people with enough time to cover the massive number of potential exploits that were released between the last test and the current one. And it’s only gotten worse since then.
In the first half of this year, there were over 12,000 new vulnerabilities reported. Of those, over 2,300 could be exploited remotely. Almost 1,500 had public exploits with mitigating solutions. Close to 900 had no solution available. So how can we expect any annual or bi-annual testing cadence to find and fix all those potential problems? The short answer is, we can’t. From my time leading these efforts–both as a customer and a pentester–I know that tests often need to be scoped down to only the most important assets and the most critical vulnerabilities. If we want to move beyond those limitations, we have to stop relying solely on human-led efforts and start supplementing with automated, continuous testing. After all, hackers are always on; your testing should be, too.
That’s why I’m happy to be leading the expansion of GuidePoint Security’s existing penetration testing services into automated testing and launching our new Penetration Testing as a Service (PTaaS) offering.
PTaaS offers the best option for clients looking to continuously secure their networks and applications as new vulnerabilities are released every day. A continuous security testing program gives you control of your testing and immediate access to results, enabling you to manage and remediate vulnerabilities in a more efficient, timely manner. Don’t get me wrong: traditional, point-in-time penetration testing is not going away, nor should it. Real-world, human expertise is critical in pentesting, and–bolstered by the continuous results of automated penetration testing–our expert teams can validate your remediation efforts and focus on the vulnerabilities that matter most in your environment.
If you want to know more about how GuidePoint’s Penetration Testing as a Service can help your organization, visit our PTaaS page to learn more and reach out to speak to one of our experts.
Todd Salmon
Executive Advisor, Threat & Attack Simulation,
GuidePoint Security
Todd Salmon is a veteran cybersecurity executive with a multitude of experience leading professional services organizations focused on information security and technology. Todd’s primary area of focus for the past twenty plus years has been in the offensive security space, where he’s built large consulting teams that delivered technical security assessments such as Penetration Testing, Vulnerability Assessments, and Red Teams.
Todd’s primary focus at GuidePoint is the development of strategic, next generation technical offerings for the Threat and Attack Simulation Practice.