We hear a lot about pen testing in business today. But what exactly is pen testing and how is it different from something like vulnerability scanning? When do you use one over the other? Why are customers, VCs, and even accelerators demanding pen test reports from their vendors?
And how did we end up in a place where knowing the answers to these questions can make or break it for your company’s success?
“Software is eating the world,” is a famous quote by Marc Andreessen, the co-founder of Netscape and general partner at the infamous Andreessen Horowitz, a private, venture capital firm in Silicon Valley.
The technology landscape has changed rapidly in the last 10 years since Marc uttered those words. This rise of tech firms is thanks to increased access to some of the main ingredients required to build a technology company.
1. The Map: Unicorns like AirBnB, Uber, DataDog, SpaceX, Instacart, and others gave aspiring entrepreneurs the map to realize their own dreams of changing the world in their respective areas of expertise.
2. The Tools: Gone are the days where entrepreneurs need hundreds or even tens of thousands of dollars to start a tech company. Today, you can set up a free EC2 and GitHub account, add a code editor, spin up a website and you’ve launched!
3. The Investors: According to TechCrunch, there are more VC funds than ever, with US VC deal activity in 2018 alone estimated to be $130.9B up from $36.9B in 2008.
Ok, so there are more tech companies, you get it. But why are all these tech companies doing pen testing?
The increased number of technology companies, many of which are changing the way we live and interact with one another and the world around us. This has led to a slow but strong change of habits, reflected best with the boom of e-commerce. 2019 was the first year where the total market share of “non-store” or online U.S. retail sales was higher than retail for the first time in history.
Even healthcare, which historically has been a market most lagging in digital transformation, is currently accelerating at rapid rates driven by the situation that COVID-19 has created. Digital healthcare transformation is now one of the highest growing industries estimated to reach $210B by 2025 with a CAGR of 14.2%.
Digital transformation across industries now has a lot of information flowing over the internet, processed by billions of lines of code, running over new technologies such as cloud, containers, orchestration, and more! This has created even more opportunities for hackers to monetize data. 15 years ago nothing other than credit cards could be monetized, now threat actors are making bank on everything from stolen health identities, to Uber rides and airline miles.
Ok, so hackers have more things to hack. Still, why pen testing?
There are four main drivers behind the increase in penetration testing demand.
1. Gruesome Cyber Attacks: Several cyber attacks left a mark that can’t be erased easily. Yahoo losing 3 B records, First American Financial Corp losing 885 million records, Facebook losing 540 million records and Marriott international losing 500 million records are imprinted in all of our minds, even if we don’t understand how it all went down.
2. Compliance & Regulations: Increasing digital transformation as well as the deteriorating security scene led to both industry and government regulations dominating how we communicate and do business. In the last two years alone, four governments have started to act:
EU with GDPR. Canada with the Get Cyber Safe guideline. UK with the Minimum Cyber Security Standard. Australia with their Information Security Manual.
3. Enterprise demand: A decade ago it was normal for a Fortune 500 acquiring an enterprise software to pay for a pen test. Nowadays, it is almost impossible to start talking to an enterprise without a SOC 2 certificate and a recent clean pen test report.
4. Agile engineering minds: Software engineers want to build smart and safely. With security being seen as a quality issue, engineers are looking for security partners to share the burden.
Security was historically seen as a cost center. However, more companies are hacking how to get a return on their security spend, particularly pen tests.
From a basic automated vulnerability scan to a high assurance ethically hacked pen test, making the most out of your investment of time, money and resources is crucial for growing startups and scaleups.
Securicy is joining forces with SoftwareSecured to help make sense of when a vulnerability scan will do, when a pen test is necessary, and how to make the most out of any security investment you make.