When it comes to security, organizations often consider themselves well-covered. But in today’s landscape, where cybersecurity threats evolve at breakneck speed, even the most well-prepared teams cannot afford to have testing gaps.
The reality is that if your primary strategy for removing security testing gaps is tightening scanning policies or expanding penetration test scope, you are trying to patch a dam with bubble gum.
Is your attack surface covered? Let’s take a deeper look at the reality behind security testing and how common approaches may leave you with larger gaps than you expect.
To calculate security testing gaps we need a risk model and relevant test criteria. Multi-criteria decision analysis (MCDA) is a great fit. For security testing criteria, we’ll use coverage, accuracy, and frequency.
Why these criteria? Security testing gaps are not just about coverage. Gaps in test frequency and test accuracy are just as problematic.
We all know there’s no standard when it comes to security testing. Each organization must tailor its strategy to its unique business needs, risks, skills and budgets.
While this means the concept of ideal is subjective, the following are agreed upon truths:
So, let’s put a stake in the ground. “Ideal” testing is full coverage, very high accuracy, and very high frequency. Combined, these should result in a perfect score of 100 and a gap of 0%.
For those of you double-checking the math, note that while the graphic shows basic multiplication, the actual MCDA model is more sophisticated. This graphic is for visualization only. Reach out if you would like to discuss the model (or use our calculator at the end of this blog to determine your own gaps!).
On average, companies deploy 53 security tools across their environments. These tools include a mix of commercial and open-source testing solutions, running at varying frequencies across different assets.
Many of these tools are not designed for the coverage, accuracy, or frequency required for ideal security testing. Stretching these tools beyond their capabilities in order to maximize budget leaves staff with more work, less value and a false sense of security.
Let’s look closer at three common test approaches: network vulnerability scanning, application testing (DAST), and penetration testing.
Network scanners scan known subnets for vulnerabilities and misconfigurations on exposed systems and services. Here is a realistic deployment:
The result is a score of 55, which is a 45% gap from ideal. Probably bigger than you thought. And even if you increase scanning frequency to weekly, you’re still left with a 35% gap.
Dynamic Application Security Testing (DAST) is a form of black-box testing for web applications. Here is a realistic deployment:
The result is a score of 33, which is a gap of 67% from ideal. While DAST tools offer high accuracy, its coverage and accuracy pull it down. This is a major testing gap, despite web applications being one of the largest threat vectors.
Legacy penetration testing is a manual offensive security exercise that includes scoping, reconnaissance, vulnerability scanning, and testing. Here is a realistic use case:
The result is a score of 12, which equates to a considerable gap of 88% from ideal. Pen testing is highly valuable and can be highly accurate, but with coverage and frequency so low it is hard to have it move the needle on real-time risk.
Is it a surprise that the three examples have a best case scenario 45% gap from ideal? If you are like many, this number is large enough that you are comparing it to your own deployments.
You can relax (a bit) since this is a high-level exercise, not a multi-month onsite audit of your InfoSec department. For example, your compensating controls reduce the risk from testing gaps (e.g., a WAF in front of an untested web app), and isn’t part of this measurement.
But that doesn’t mean the gaps aren’t real. Protection-based security tools are important, but resolving an issue before it becomes an incident (or a breach) eliminates the associated emergency overnight patching panic.
Take a look at your current testing technologies through the lens of coverage, accuracy and frequency. How do they compare to ideal, and what do you feel it would take to bring it there?
“CyCognito provides a true platform that cuts across multiple market categories. It gives us greater visibility to our attack surface than other solutions we’ve used and the type of risk assessment depth that normally requires an expert pen tester.”
CyCognito is an automated testing solution with integrated recon, discovery and prioritization. Designed from the ground up to remove the complexity of security testing, CyCognito provides a single interface for safe testing of both network systems and web applications.
With CyCognito, your teams know:
CyCognito provides:
With CyCognito, you can reach a security testing score of 95+, with no installation, configuration, or management challenges.
Curious about your security testing gap? Answer a few questions in the CyCognito Security Testing Gap Calculator to receive a custom report that includes individual test scores, gaps, and customized insight as to how to improve your score.
Jason Pappalexis has worked in cybersecurity for nearly two decades, holding roles across government security administration, third-party testing, solutions architecture, product management, and technical product marketing.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
IT Security teams are faced with stagnant or reduced budgets yet need to increase the value of their security testing programs.
Answer a few questions and receive an instant custom report sharing how you can reduce costs and boost your efficiency with CyCognito.
Discover insights on application security, exposure management and other key topics below.
The definitive guide to attack surface management. Learn everything you need to know to reduce your cyber security risk with attack surface management.
Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.
Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.
Explore CyCognito modules ASM, AST and EI in the resources below.
Scalable, continuous, and comprehensive testing for all external assets, all the time.
CyCognito Automated Security Testing dynamically applies payload-based testing techniques across your entire external attack surface.
CyCognito Exploit Intelligence uses threat intelligence about attackers’ behavior and exploitability for enhanced prioritization.