Organizations face various stresses in ensuring that their data, infrastructure, applications, and other business assets meet the necessary security requirements.
Beyond scheduling the time and determining the best processes for security testing, businesses are up against greater pressure from their own boards and from regulators to maintain compliance with security standards.
Practices outlined by such regulations as GDPR and HIPAA are now requiring or recommending more frequent audits with penetration testing. To cope with these demands, many companies are turning to a more rigorous and continuous process of security testing, according to new survey results released on Dec. 4 from Synack.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
As detailed in Synack’s “The 2020 State of Compliance and Security Testing Report,” 44% of the respondents said they perform security testing on a monthly basis to better understand and assess their current level of security risk. Some 30% said they perform such testing on a quarterly basis, while 9% do it semiannually, and 10% just once a year.
But regular security testing can be challenging. Though 41% of the respondents said they’re satisfied with their current process for security compliance testing, 59% acknowledged certain issues.
The biggest challenge is the sheer expense as companies must factor in the cost of the test activity, the cost of remediation, the cost to scale efficiently, the cost of integrating with their DevOps processes and software pipelines, and the cost of dealing with false positives or poorly reported issues.
Other stumbling blocks reported by those surveyed include the time required to schedule security testing, the ability to manage testers, the quality of testing, and the time spent testing.
A typical security test should take one to two weeks to allow enough time for analysis, Synack says. But among the respondents, 41% spend less than eight hours on a typical test, 30% spend 9 to 20 hours, 13% spend 21 to 41 hours, and 9% spend 41 to 80 hours. Only 7% spend more than 80 hours.
The low number of hours devoted to each test could be a result of limited budgets and small team sizes, says Synack, especially if staffers have to handle a variety of business assets. Another cause could be the difficulty of finding high-quality vendors to help with testing.
“Although we are seeing a move toward a 24/7, 365 security culture at organizations in a wide variety of industries and geographies, there is still ample room for improvement,” Aisling MacRunnels, Synack’s chief marketing officer, said in a press release.
“Our survey found that on average, most security tests are lasting just 20 hours,” MacRunnels said. “As the number of cyber incidents continues to increase, it will be imperative for decision makers to implement security testing solutions on a continuous basis with 1500-2000 hours of testing a year.”
Security testing has also become more taxing due to faster application development cycles. Agile and DevOps methodologies are pushing code to production more frequently, according to Synack.
As a result, some organizations are letting their developers perform security testing to cut down on last-minute problems and to trim costs by finding bugs earlier in the development cycle.
To help with their security testing, more companies are looking externally. Some 43% of the respondents said they used one or more external security testing vendors to perform their compliance and security testing.
Companies typically rely on outside security vendors to supplement their own resources, to attain specialist skills they don’t possess internally, and to obtain an independent perspective free from internal bias. Outside vendors are used for specific purposes as well.
Some 63% of the respondents said they use external security providers to identify and reduce vulnerabilities, while 47% use them to meet compliance mandates.
But relying on multiple security vendors introduces its own set of challenges. Slightly more than half of the respondents said they see overlap in the capabilities of their external security vendors.
This type of overlap can lead to unnecessary redundancy, inconsistent results, and inefficient budgeting. In general, larger enterprises tend to go for the best vendors, which can lead to a greater number of them, while smaller firms gravitate more toward single trusted partners.
Finally, one area that’s just starting to gain traction is crowdsourcing security testing. Among the respondents at larger enterprises, 8% said they’ve begun adopting Crowdsourced Security Testing methods to respond to certain challenges in compliance testing. This typically takes the form of bug bounties that reward external researchers who discover security flaws.
“The rapid embrace of crowdsourced security testing has happened because it is proven to work better than traditional security testing methods and addresses the ever growing talent gap within organizations,” Mark Kuhr, chief technology officer and co-founder of Synack, said in the release.
One useful approach may be to combine more structured and traditional compliance penetration testing with more unstructured but incentivized bug bounty programs.
However, Synack cautions companies to remember that not all Crowdsourced Security Testing is equal and that some methods may introduce greater risk to security testing.
To compile the report, Synack surveyed more than 311 organizations in North America across a range of industries. Among the sectors represented in the survey were technology, government, health, information technology, and financial services.