In the realm of enterprise applications migrating to cloud infrastructure, the landscape of application security testing has evolved to resemble penetration testing. This shift has opened up new markets for penetration-testing-as-a-service (PTaaS) providers who are now focusing on cloud applications rather than traditional network edges. The inherent vulnerabilities within cloud applications, stemming from the application itself, interconnections between applications, and the dynamic nature of applications over time, have catapulted the importance of robust security measures.
Organizations are under increasing pressure to secure their cloud applications as cyber attackers are actively seeking out remotely exploitable security flaws. According to Kelly Albrink, the associate vice president of consulting at Bishop Fox, an offensive security firm, the average firm faces around 11,000 exploitable security exposures each month. With attackers having ample time and resources at their disposal, organizations must prioritize securing their applications to thwart potential breaches.
As cloud deployment has become the norm for enterprise applications, Gartner predicts that by 2025, 95% of new digital workloads will be hosted on cloud-native platforms. This rapid migration to cloud services, especially with the rise of low-code or no-code applications, poses unique security challenges that need to be addressed proactively.
The intertwining nature of cloud platforms and applications necessitates that pen testers consider not only the security of the application itself but also the configuration of the cloud platform hosting it. According to Caroline Wong, the chief strategy officer at Cobalt.io, access control and configurations differ significantly between network-based and cloud-based applications, requiring intentional testing and assessment.
The State of Pentesting 2023 report by Cobalt highlights that a significant portion of security issues discovered during penetration tests stem from server misconfigurations, such as inadequate security headers and vulnerable SSL/TLS cipher libraries. Common vulnerabilities include stored cross-site scripting (XSS), outdated software versions, and insecure direct object references (IDOR), with a high percentage of these vulnerabilities rated as medium severity or higher.
Over time, PTaaS customers witness a reduction in medium, high, and critical flaws as the most serious issues are identified and rectified. The evolving nature of applications necessitates continuous security assessments to mitigate security debt and ensure a robust defense against emerging threats.
The confluence of dynamic application security testing (DAST) and PTaaS has blurred the lines between the two approaches, particularly as applications transition to the cloud. A holistic approach to penetration testing is crucial, encompassing all components that contribute to the user experience, including API endpoints, middleware, firewalls, and backend systems.
In an era of rapid development cycles and agile methodologies, frequent security testing is imperative to prevent the introduction of new vulnerabilities. Organizations must adapt their security spend to allocate resources effectively across offensive and defensive security controls, ensuring a comprehensive security posture to safeguard against evolving cyber threats.