Oh Good – Another Pentest Report

August 22, 2022 / Editor / general

Penetration testing has become a vital part of many organisations’ security apparatus both from a compliance and a security hygiene point of view. Testing allows you to get an idea of what vulnerabilities a service might contain and guidance in how to fix them. The problem is that tests are expensive and provide a point-in-time view of the system, meaning that with a limited security budget, most services are tested on an annual or quarterly cadence. Tests are almost always conducted in production and therefore tightly scoped to avoid causing downtime. Reports then take time to analyse and discuss with the internal teams responsible for the system being tested and negotiation on which vulnerabilities to fix. What makes this process even harder is that it’s not always clear which vulnerabilities would actually lead to a breach, and which are more academic. Depending on how much threat modelling you’ve done, and how much the pentesters have taken that into account, the prioritisation process may be easier or harder.

But what’s even worse about this whole process is that the pentest teams have to pull their punches. I’ve lost count of the number of reports I’ve seen where the tester has found what they think may be a vulnerability, but they can’t confirm because to do so could be disruptive to the service – something a real attacker isn’t likely to be all that worried about. AppSec and Dev teams have a limited time budget, and that makes it even harder them to work out whether this is something that needs to be fixed, or whether a problem exists at all.

This is all because most of us don’t have a representative non-production environment that can be tested. To get real value from a test, the testing team should be able to bring their full expertise to bear against the system being targeted and simulate a real attack, regardless of whether that would take the service offline.

The solution is to use a cyber range to create a simulation of your real production environment that can be tested to destruction if necessary using either human or automated adversary simulations. Even better, you can hook up your SOC tooling to the simulated environment and let your operational security teams see what a genuine attack looks like using their own tools. If you want to see what impact changes you’re making to the environment would have, copy those changes across to the range, or hook up your CI/CD pipeline to it.

Not only are you able to see what vulnerabilities your system has, but you can evaluate how your operational security teams and technology would detect those attacks and customise training to focus on them. It means less time reading reports and more time fixing problems. To deliver this, Bastion has partnered with SimSpace. For the cost of a few scoped penetration tests, you could have your own cyber range hosted on-prem or in the cloud with the added benefit of hundreds of hours of detailed cyber security training that can be experienced in a true-to-life simulated environment, giving your operational security teams a compelling advantage against real-life foes.

If you would like to experience a live-fire cyber range built for your environment, contact us for chat.