BAS will kill the Pentest
A penetration test, also called a pen test or ethical hacking, is a cybersecurity technique organizations use to identify, test and highlight vulnerabilities in their security posture. These penetration tests are often carried out by ethical hackers. These in-house employees or third parties mimic the strategies and actions of an attacker in order to evaluate the hackability of an organization’s computer systems, network or web applications. Organizations can also use pen testing to test their adherence to compliance regulations.
Ethical hackers are information technology (IT) experts who use hacking methods to help companies identify possible entry points into their infrastructure. By using different methodologies, tools and approaches, companies can perform simulated cyber attacks to test the strengths and weaknesses of their existing security systems. Penetration, in this case, refers to the degree to which a hypothetical threat actor, or hacker, can penetrate an organization’s cybersecurity measures and protocols.
BAS – new trend
Breach and Attack Simulation (BAS) solutions represent a new and emerging market and are directly adjacent to vulnerability assessment, according to the Market Guide for Vulnerability Assessment. They perform automated security testing: some challenge the existing security infrastructure and some model attack chains to identify the most-likely path an attacker would use to compromise an environment.
BAS products are becoming more mainstream and have begun transforming the security testing landscape. Breach and attack simulations can play a critical role in protecting key organizational assets by simulating likely attack techniques across all attack vectors, then providing prioritized remediation guidance. By doing this in an automated, continuous fashion, breach simulations provide non-stop protection and allow defenders to take a more aggressive posture toward maintaining security across all aspects of a security environment.
BAS will kill the Pentest
If you look at how pentests are performed today, discounting the red team style of exercises, you’ll see that it’s not very different than a good vulnerability assessment. But still, it’s different, because it involves exploiting vulnerabilities, and that exploitation can move the assessor to another point in the network that can be used for another round of scanning/exploitation. And that’s where BAS tools come into play.
BAS automates the simple pentest, performing the basic cycle of scan/exploit/repeat-until-everything-is-owned. If you have the ability to do that with a simple click of a button, why would you use a human to do that? The tool can ensure consistency, provide better reporting and do it faster. Not to mention requiring less skills (you don’t even need to know how to use Metasploit!). So, with BAS, you either go for human tests because you want a red team, or you use the tool for the simple style of testing.
But, you may argue, not everyone will buy and deploy those tools, so there’s still room for the service providers selling basic pentesting. Well…no! BAS will not be offered only as something you can buy and deploy on your environment. It will also, like all the other security tools, be offered as SaaS. With that, you don’t need to buy and deploy it anymore, you can “rent it” for a single exercise. This is simpler than hiring pentesters, and provides better results (again, I’m starting to sound repetitive, but excluding the really great pentests…). So, why would you hire people to do it?
In Vietnam, Pama is the pioneer in distributing BAS application solutions from Picus – the world’s leading security company providing Breach and attack simulation solutions
Read more about BAS of Picus here: https://www.picussecurity.com/
Translator: Nguyễn Thùy Trang