What is Penetration Testing as a Service: The Benefits for SaaS Companies

Posted on July 29, 2021 - by Sherif Koussa - in Growing Your SaaS Company

penetration testing as a service

This guest post is from Software Secured, a Securicy partner.

On the dark side of hacking, cybercriminals identify and exploit vulnerabilities as they break into a software application. Then they monetize the data by using compromised bank accounts, selling personal information, or holding sensitive data for ransom, among other things. Globally, cybercrimes are expected to cost organizations USD $6 trillion in damages by the end of this year. 

So, what’s over on the lighter, friendlier side of hacking? Penetration testing, also known as ethical hacking or white-hat hacking. 

Penetration Testing Increases Agility

Regular penetration testing is normally done once a year, as a practice inherited from the times of waterfall methodologies when it was normal for software development life cycles to last 18 months. In those times, security was just a small step as development teams prepared to push the release to production. A quick review was usually enough to ensure the security of the release. Any security issues found would be fixed and shipped in a later minor release or hot patch.

As development teams adopt more agile software development processes today, pushing code daily or multiple times a day is becoming the new norm. 

Companies like Amazon, Google, and Netflix are known to push code to production hundreds and sometimes thousands of times per day.

Pushing code more frequently to production deems yearly pen tests moot. Today’s teams aren’t comfortable pushing code to production without at least base-level functional testing. So, why are they comfortable with only an annual pen test that leaves them exposed for most of the year? 

Penetration Testing as a Service (PTaaS) is a more continuous type of manual pen-testing. It evolves regular pen testing from an isolated yearly exercise into a more integrated, application-aware manual pen test. 

Typically, comprehensive penetration tests happen regularly to align with major releases. As application testers understand the business logic more, they perform increasingly targeted and sophisticated tests.

With PTaaS, pen testers work together frequently with their clients and constantly have an open line of communication if an issue arises. As such, pen testers can create close relationships with their clients. As trust is earned, pen testers are provided access to more of the client’s open-source code to review. In turn, they can find deeper, better vulnerabilities than any other security assessment could.

In general, penetration testing is the short-term, lower-cost option for companies that want a one-time assessment, usually just to receive a certificate for a vendor security questionnaire. On the other hand, PTaaS is a long-term investment for companies that want to be proactive in their pursuit of secure application development. The companies that choose PTaaS over one-time testing are usually medium to larger-sized companies that already have an established DevOps pipeline and are looking to integrate security as an everyday priority. 

One-time penetration testing is ideal for start-ups in seed rounds, while PTaaS is best for Series A or Series B companies.

What’s the Value of Penetration Testing as a Service?

PTaaS is valuable as a long-term investment. On the surface, it provides confidence that your application security is up to par, fending off hackers from the dark side. 

Deeper down, integrating PTaaS with your development process empowers an internal security culture. Security engineers have insights from years of specialized experience to pass onto your development team. As your team rolls out new features and updates, they will work with your PTaaS security team for application re-testing, ensuring those new roll-outs are secure. 

DevOps Meets Penetration Testing

This integration between your DevOps team and PTaaS team reinforces the role and importance of security in organizations. Together, they form DevSecOps. With DevSecOps, security isn’t a small, check-box style component of the SDLC. Rather, it’s a prioritized component in each stage of the process. A specialized team is aligned to support the goal of secure application development. 

After all, isn’t it easier to know how to create an application that’s secure by design rather than knowingly run the risk of a cyberattack? 

Continuous Access to Security Expertise

PTaaS is year-round, which means a client’s access to their security testing team is year-round too. Gone are the days where a pen tester was only available to ask questions during the pen test, and corporations would be left to fend for themselves after the test results were handed over. 

PTaaS allows companies continuous availability to their pen tester. Pen testers are able to answer questions for any stage of the SDLC, whether you’re looking to make your code more secure by design or patch up a bug from your last test. 

Build a Security Culture While Pushing Security Left

Security belongs to everyone in the organization, not just the development team. However, many organizations are still finding it difficult to layer secure processes into their everyday operations. So instilling good security practices into your development team is a good starting point that can act as the foundation for the rest of your organization’s security practices and policies later. 

Continuous access to security expertise and building new DevSecOps processes empowers an internal security culture. Through PTaaS, code is continuously being tested by security experts who understand both security and development. Working side by side, development teams can learn current security best practices in the SDLC. Then, development teams can relay their learnings to the other departments and improve security measures in all areas of the organization. 

Getting The Most Out Of PTaaS

As one of the most extensive application security assessments, PTaaS is definitely an investment. It’s by far the most comprehensive, detailed, and unique to your business logic. So, how do you calculate the ROI on pen testing? How can you be confident that you’re finding value in PTaaS?

According to Software Secured’s 2020-2021 data, 13.6% of all penetration testing and PTaaS findings were high severity vulnerabilities. These security bugs could have caused serious loss of data or downtime if exploited. Each high severity vulnerability found saved a company from huge potential losses in time, legal fees, and/or remediation efforts. 

They also determined that, within a year, clients who use Penetration Testing as a Service find on average more than twice as many bugs than their one-time penetration testing clients. This is a result of more frequent testing, the ability to do source code review, and constant access to security expertise. Consequently, PTaaS clients are more likely to have secure applications all year long.

Marketing initiatives, sales meetings, and developer training all help boost your return on investment when choosing to adopt PTaaS.

Build Confidence In Your Application Security

Software Secured is one of Securicy’s preferred partners specializing in PTaaS. As a leading PTaaS provider, they’ve tested over 500 applications from top clients, including Solace, Klipfolio, and Macadamian.

In addition to PTaaS, Software Secured also offers regular penetration testing, source code review, threat modeling, and corporate application security training

Regardless of size, any business with its own network or application needs to be aware of the role and importance of information security. So, how are you going to ensure that yours is secure?

Click here to get Software Secured’s downloadable PTaaS Value Guide:

About the author

Sherif Koussa is an OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and Secure Coding Instructor. Sherif began his security career as the lead developer for OWASP WebGoat 5.0, and served as a mentor for SANS Institute and exam consultant for GIAC, where he authored more than 500 Java and .NET questions. He also worked for Wells Fargo Bank in the central security code review team.

100 million lines of code later, Sherif brings lessons learned from writing insecure code as a developer, along with years of experience as a security code review engineer and pen-tester, finding vulnerabilities in custom code.

Sherif is also CEO and founder of Software Secured (https://www.softwaresecured.com) and Reshift Security (www.reshiftsecurity.com). Software Secured specializes in Penetration Testing as a Service (PTaaS) and instructor-led training.

Reshift Security is a developer-first security tool that automates the process of finding and automatically fixing vulnerabilities in custom code, with a click of a button.