Internet published Banking Web Applications and services are under constant change due to addition of new workflows, features, functions, patches etc. that can happen very often. Many of these changes may have an impact on overall security posture of the web application. Parking those changes to be security tested at the time of quarterly or annual penetration testing can become a very costly decision to the Bank, if attackers succeed in exploiting any weaknesses introduced by such changes. At the same time, conducting penetration testing against all published applications and services corresponding to every minor change might not be always feasible and can also create stability and availability issues to the production environment. Automated Threat Simulations often repeat pre-scripted attack test cases at varying intensity levels to blindly give a false sense of security assurance. Similarly, continuous vulnerability scanning will only discover a vulnerability if it is known and is published in the scanner’s database. To address this issue the concept of Continuous Penetration Testing is introduced.
Continuous Penetration Testing process should ensure that the web presence of the target financial organization is monitored by a continuous asset discovery service, and addition of any new asset should invoke the process of Penetration Testing. In addition to this, confirmed set of assets in scope should always be under the process of penetration testing that is performed with manual expertise and contextual knowledge. The target asset group cycles through different processing phases of penetration testing. While the application development and maintenance team is fed with remediation steps of previous findings, the testing should continue with new facets of attack discovery. Once the remediation efforts are completed, a revalidation Penetration Testing should be initiated to measure the effectiveness of remediation measures.
This process is continuous and constant remediation and threat discovery is always happening. This approach will help Banks to publish applications to its customers on time without delay while ensuring critical security issues are not left un-addressed until the quarterly or annual penetration testing schedules.
On-demand testing should also be triggered upon addition of new components to the application at any time. Asset discovery and detailed technology stack enumeration has to be performed and the blueprint of asset inventory has to be cross-checked against new findings. That way, addition of new libraries and other dependencies are discovered on time and the applicable risk is recalculated. Special emphasis has to be given for important business workflows and features.
Cyber Threat Management teams have to monitor the latest attack trends, techniques and availability of exploits and take necessary measures to ensure that actual risk to the asset in scope is always under control. Lessons learned from previous exercises help enhance the blue teams capability to detect attack attempts near real-time. Changes to threat landscape have to be identified automatically and this information used as a trigger to invoke a new round of penetration testing. Sometimes the automated asset discovery and technology stack enumeration may not produce enough results to detect a change in threat.
Similarly, there will be scenarios where testing will need to be invoked as part of a new change deployed or to ensure the effectiveness of specific inbuilt or compensatory security controls. In addition to this, Cyber Threat Management team may need to validate any new attack trend to ensure coverage against it. To address all this Adhoc testing upon request should be incorporated into the program.
Though Continuous Penetration Testing maybe more relevant for internet published web applications and services, it can be used for internal penetration testing requirements as well as Mobile applications and perimeter infrastructure devices. The program can also cater to requirements of several compliance standard and regulations. Unlimited revalidation and thorough coverage of all possible threat scenarios justifies the ROI. Unexpected breaches due to scheduled nature of testing or complete lack of testing is thus eliminated. If immediate remediation is not possible due to design limitations and other dependencies, compensatory controls or workarounds should be recommended wherever possible.
Passive threat discovery with OSINT and Darkweb enumeration is an added benefit to such a program. Threat surface analysis of the organization and its assets performed with in-depth OSINT and Dark web mining can produce datasets which can in turn be used for the development of new relevant security test cases.
About NetSentries: NetSentries Technologies is a leader in the Cyber Threat Management space. NetSentries provides a portfolio of Security assessment, Control validation, Defensive, and Detective Security advisory to Enterprises. NetSentries is engaged with several business verticals like Banking and Finance, Oil and Gas, Retail, Manufacturing, and Healthcare to assess their current security posture and continuously improve resilience against targeted cyber-attacks.NetSentries works with several Banks and FinServ companies to improve Enterprise-wide security posture and meet compliance requirements from regulators.