In the security market, penetration testing is a time-honored practice that typically requires a lot of time to organize, schedule and manage. Security vendor Trustwave is now aiming to change the delivery model for penetration testing with a managed security testing service that is provisioned from the cloud, but still includes the use of human intelligence.
The managed security testing service enables enterprises to schedule their own tests via the cloud, Trustwave Director Charles Henderson told eWEEK. "Penetration testing has traditionally been a vendor-driven prospect," Henderson said. "In the legacy model, you are consuming the penetration test on the vendor's terms from scheduling all the way on down."
The Trustwave approach is about giving enterprises the ability to control and manage the penetration-testing process. Henderson said the testing is comprehensive and blends human intelligence with automated processes.
Automated security scanning is nothing new, and the security market is littered with solutions that will scan for vulnerabilities. Henderson argued that the managed security service and true penetration testing are not the same as simple automated security scanning. Business logic flaws are something that the humans that are part of the managed security testing service can find that automated scanning alone cannot.
"Application scanning only looks for programmatic errors," Henderson said. "There are a lot of vulnerabilities that are fundamental flaws that are not driven by a true programmatic error."
For example, SQL Injection, which is a common class of vulnerability, is a programmatic error that an automated application scanner can find. A business logic flaw in contrast can be fixed at the code level but is not as easily detectable. For example, a business logic flaw could be an application that enables the price of an item to have a negative value.
"There is nothing programmatically wrong with allowing an integer to be negative," Henderson said. "It's just that when that integer happens to be a price, that can be a very bad thing."
Going a step further, a typical application scanner is able to provide some form of recommendation for a fix. The Trustwave service can also be integrated with Trustwave's cloud-based Web Application Firewall (WAF). Henderson noted that fixes can be deployed on the fly, with automated rules sent to the WAF to prevent exploitation of discovered flaws.
The way the system works is that the Trustwave cloud portal can be used for the project management of a penetration test, in terms of scheduling and assets to be tested. The tests can be set to run on a regular cycle as part of an ongoing process to help ensure that an organization understands its own security posture. The system also provides reporting on what has been done.
Organizations will increasingly need regular and routine testing as new compliance efforts come into effect. The Payment Card Industry Data Security Standard (PCI-DSS) is currently gearing up for a new standards release. The new PCI-DSS 3.0 standard puts a strong emphasis on regular evaluation and security processes.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.