Ready to start a project with us? Let us know what's on your mind.

1501 Broadway STE 12060
New York, NY 10036-5601

inquiry@winmill.com
1-888-711-6455

    Select Service(s)*

    x Close

    Penetration testing is evolving. Five security and development trends are increasing the complexity of penetration testing and changing client expectations.

    1. DevSecOps: Teams are introducing secure code review (SCR, the process of examining an application’s source code) and penetration testing into the software development life cycle (SDLC) to identify vulnerabilities earlier.
    2. Client Awareness: Now that many people know about penetration testing, the discussion is changing to focus on differences in penetration testing methodologies, scopes of engagement, and report delivery methods.
    3. Continuous Delivery of Pen Test Results: This new penetration testing delivery experience shares pen test results with the client in real time through a technology platform or web portal. Penetration Testing as a Service (PTaaS) delivers results year-round, unlike point-in-time pen tests, which are typically executed only once a year.
    4. Ticketing System Integration: More organizations are requiring their penetration testing firms to integrate with existing remediation processes and ticketing systems.
    5. Demand for Customization: There is increased demand for customization of severity and risk ratings, remediation assignments, and service level agreements (SLAs), and the ability to manage the results where it is most efficient for the defense and development teams.

    This does not mean that traditional penetration testing is a thing of the past. Rather, the implication is that organizations that are shopping for penetration testing services expect highly customized engagement methodologies based on their maturity level, regulatory compliance requirements, unique attack surface profiles, and budgets. It also means that penetration testers need to improve their scoping process to capture the client’s unique requirements more precisely and deliver pen testing services that fully address security concerns.

    DevSecOps

    Teams are introducing secure code review (SCR) and penetration testing into the software development life cycle (SDLC) to identify vulnerabilities earlier.

    DevSecOps is a way of approaching IT security with an “everyone is responsible for security” mindset. It involves injecting security practices into an organization’s DevOps pipeline. The goal is to incorporate security into all stages of the software development workflow. That’s contradictory to its predecessor development models—DevSecOps means you’re not saving security for the final stages of the SDLC.

    Called shift left, this software development trend reflects efforts to improve software security and reduce testing costs. To ship secure software faster, organizations are working to integrate security processes seamlessly into the software development workflow and CI/CD pipelines. DevSecOps is driving requirements for continuous and comprehensive penetration testing.

    Client Awareness

    Now that many people know about penetration testing, the discussion is changing to focus on differences in penetration testing methodologies, scopes of engagement, and report delivery methods.

    Pen testing services clients are becoming educated clients. They understand the differences between product offerings and are able to discriminate based on their own needs. They know the differences in methodologies and report delivery methods and have expectations based on that knowledge. Therefore, the scoping process needs to capture a full and accurate picture of the client’s needs and requirements.

    Continuous Delivery of Pen Test Results

    This new penetration testing delivery experience shares pen test results with the client in real time through a technology platform or web portal. Penetration Testing as a Service (PTaaS) delivers results year-round, unlike point-in-time pen tests, which are typically executed only once a year.

    A PTaaS platform improves decision-making and accelerates remediation with tool integration. However, a client must have reached a certain maturity level, and have specific continuous monitoring requirements before engaging a year-round penetration testing service. For most clients, continuous delivery of pen test results during the engagement in a client portal will suffice. Nevertheless, development of a PTaaS delivery platform should be considered.

    Ticketing System Integration

    Streamlined management of penetration testing results is non-negotiable. More organizations are requiring their pen testing firms to integrate with existing remediation processes and ticketing systems.

    This approach ensures that remediation is properly managed to ensure that no issues fall through the cracks. Furthermore, it allows for remediation tasks to be registered, assigned, and tracked with existing tools.

    Demand for Customization

    There is increased demand for customization of severity and risk ratings, remediation assignments and service level agreements (SLAs), and the ability to manage the results where it is most efficient for the defense and development teams.

    This is a prevailing theme in modern society. The Internet has spawned a generation of educated clients, and one-size-fits-all is no longer enough to satisfy expectations. That genie is not going back in the bottle. Providing a customized penetration testing service is a business imperative.

    The Impact of Change

    Organizations are becoming educated clients of penetration testing services and expect highly customized engagement methodologies based on their maturity level, regulatory compliance requirements, unique attack surface profiles, and budgets. Winmill is continuously retooling our scoping process to capture our clients’ unique requirements more precisely and to deliver pen testing services that fully address their security concerns.

    Penetration testing is evolving from point-in-time assessments to continuous delivery. Development of such a capability in the future is something we should consider. Additionally, there is an expectation for continuous project status reporting that we can implement with the Dradis client portal. We should make the portal a standard feature in all our penetration test engagements.

    Finally, having a project manager for every major engagement ensures that the pentester can focus on the in-scope environment, and client questions or concerns can be addressed in a timely manner by the project manager.  It makes sense for the account manager, who already has a relationship with the client, to take on this role.

    Check Out Our Other Content

    Back to Blogs