Why continuous security testing is a must for organisations today

The global cyber-security market is flourishing. Experts at Gartner predict that the end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026.

One big area of spending includes the art of putting cyber-security defences under pressure, commonly known as security testing.

MarketsandMarkets forecasts the global penetration testing (pentesting) market size is expected to grow at a compound annual growth rate (CAGR) of 13.7 per cent from 2022 to 2027.

However, costs and limitations involved in carrying out a penetration test are already hindering market growth, and consequently many cyber-security professionals are making moves to find an alternative solution.

 

Pentests aren’t solving cyber-security pain points

 

Pentesting can serve specific and important purposes for businesses. For example, prospective customers may ask for the results of one as proof of compliance.

However, for certain challenges this type of security testing methodology isn’t always the best fit.

 

1.      Continuously changing environments

 

Securing constantly changing environments within rapidly evolving threat landscapes is particularly difficult.

This challenge becomes even more complicated when aligning and managing the business risk of new projects or releases.

Since penetration tests focus on one moment in time, the result won’t necessarily be the same the next time you make an update.

 

2.      Rapid growth

 

It would be unusual for fast-growing businesses not to experience growing pains. For CISOs, maintaining visibility of their organisation’s expanding attack surface can be particularly painful.

According to HelpNetSecurity, 45 per cent of respondents conduct pentests only once or twice per year and 27 per cent do it once per quarter, which is woefully insufficient given how quickly infrastructure and applications change.

 

3.      Cyber-security skills shortages

 

As well as limitations in budgets and resources, finding the available skillsets for internal cyber-security teams is an ongoing battle. As a result, organisations don’t have the dexterity to spot and promptly remediate specific security vulnerabilities.

While pentests can offer an outsider perspective, often it is just one person performing the test. For some organisations, there is also an issue on trust when relying on the work of just one or two people.

“Not all pentesters are equal,” says Sándor Incze, CISO at CM.com. “It’s very hard to determine if the pentester you’re hiring is good.”

 

4.      Cyber-threats are evolving

 

The constant struggle to stay up to date with the latest cyber-attack techniques and trends puts media organisations at risk. Hiring specialist skills for every new cyber-threat type would be unrealistic and unsustainable.

HelpNetSecurity reported that it takes 71 per cent of pentesters one week to one month to conduct a pentest. Then, more than 26 per cent of organisations must wait between one to two weeks to get the test results, and 13 per cent even longer than that.

Given the fast pace of threat evolution, this waiting period can leave companies unaware of potential security issues and open to exploitation.

 

5.      Poor-fitting security testing solutions for agile environments

 

Continuous development lifecycles don’t align with penetration testing cycles (often performed annually). Therefore, vulnerabilities mistakenly created during long security-testing gaps can remain undiscovered for some time.  

Bringing security testing into the 21st-century

 

A proven solution to these challenges is to use ethical hacker communities in addition to a standard penetration test. Businesses can rely on the power of these crowds to assist them in their security testing on a continuous basis.

A bug bounty program is one of the most common ways to work with ethical hacker communities.

What is a bug bounty program? 

 

Bug bounty programs allow businesses to proactively work with independent security researchers to report bugs through incentivisation.

Often companies will launch and manage their program through a bug bounty platform, such as Intigriti.

Organisations with high-security maturity may leave their bug bounty program open for all ethical hackers in the platform’s community to contribute to (known as a public program).

However, most businesses begin by working with a smaller pool of security talent through a private program.

 

How bug bounty programs support continuous security testing structures

 

While you’ll receive a certificate to say you’re secure at the end of a penetration test, it won’t necessarily mean that’s still the case the next time you make an update.

This is where bug bounty programs work well as a follow-up to pentests and enable a continuous security testing program.

The impact of bug bounty programs on cyber-security

 

By launching a bug bounty program, organisations experience:

1. More robust protection: company data, brand and reputation have additional protection through continuous security testing
2. Enabled business goals: enhanced security posture, leading to a more secure platform for innovation and growth
3. Improved productivity: increased workflow with fewer disruptions to the availability of services. 
4. Increased skills availability: internal security teams’ time is freed by using a community for security testing and triage
5. Clearer budget justification: ability to provide more significant insights into the organisation’s security posture to justify and motivate for an adequate security budget
6. Improved relationships: project delays significantly decrease without the reliance on traditional pentests

 

Want to know more about setting up and launching a bug bounty program?

 

Intigriti is the leading Europe-based platform for bug bounty and ethical hacking. The platform enables organisations to reduce the risk of a cyber-attack by allowing Intigriti’s network of security researchers to test their digital assets for vulnerabilities continuously.  

---

If you’re intrigued by what you’ve read and want to know about bug bounty programs, simply schedule a meeting today with one of our experts!

 

hello@intigriti.com

www.intigriti.com