Regardless of the size of company you work for, penetration testing is a cornerstone of an application security strategy especially for companies that need to satisfy certain compliance certifications (SOC2, PCI DSS, for example). Pentesting is a simulated attack against your web applications or a traditional WAF. By using a controlled attack plan, coupled with RASP (runtime application self-protection), you can identify potential vulnerabilities before they become exploited, get pushed into prod, or use it to fine tune your WAF (if you’re into that kind of thing).
It’s basically quality assurance for security before you roll out your product into the wild. Most companies choose to outsource their pentest to 3rd-party testers, while others have pentesters in-house to conduct ongoing assessments. In either case, there are some common pitfalls with pentests that can be eliminated by using RASP to save you time, money, and frustration.
Getting more value out of your application pentest with RASP
Using a RASP tool with your pentest program can get you, your team, or client on the same page throughout the entire process.
Here are 5 ways using RASP for pentests will add value:
- Scoping and documenting the requirements for a pentest
- Using a RASP tool like tCell (biased recommendation) can help with creating the scope of the pentest because RASP gives you the entire attack surface. Load the RASP tool with your application to get a full view of all the API endpoints and routes to be tested. If working with containers or microservices and you want to make sure your CI/CD pipeline is also secure, load tCell in a container to see the full list of containers to test and create the scoping doc.
- Having a full view of the application will help structure the objectives around the benefits of the pentest. You can more accurately describe how the pentest will satisfy certain requirements, especially if you already use a RASP tool in production to pull live attack data into your test plan.
- When you’re using a RASP product during your pentest, you have instant visibility into what attacks are happening, what part of the app has been tested and what attacks were successful. Your pentesters will see what’s going on in the app so they won’t duplicate efforts, saving them time and saving you money.
- It seems like a no brainer, but it’s still common that the pentester will forget to document the test by not taking screenshots, taking notes, or logging activities. RASP is already doing most of that for you. You can easily export your attack behavior and successful breaches into a report for your security manager and CISO.
- There are two school of thoughts on whether to do a pentest on a production environment or an identical test environment, but we’ll save that for another blog post. Just assume that the pentest will happen on the test environment that mirrors production. It’s important that when you cause an incident during the pentest your IR (incident response) team responds accordingly. A few benefits of having RASP enabled is that the RASP can be deployed in a test environment as well as production so that you have the same set-up and your app will behave identically in both. Additionally, RASP will trigger alerts to your IR team or SIEM so that process can be tested and refined as well.
- Typically, WAFs are easy to bypass for a skilled pentester. So if you’re doing a pentest in a production environment, having a RASP tool can give an extra layer of protection while your security team uses the results to fine tune your WAF rules.
- As I mentioned earlier, you can match your environments exactly, but there’s another level of value you can get from having RASP in both prod and pre-prod. If you already have a RASP in production, you’re getting legitimate attack data that you can use to model your pentest after. You won’t have to worry about the results of your pentest being inaccurate because it didn’t match the production environment. You can provide real, quantitative improvements to the development team.
Even though pentests are common security tactics for innovative companies, they are not without their faults. Using a RASP tool will give visibility into your pentest engagements that will not only improve the overall process from defining the scope and objectives to executing the plan and writing the report, but it will also improve the legitimacy of your results. At the end of the day, your recommended improvements will have a real, direct impact on the effectiveness of your app sec program.
If you’re looking for ways to improve your security defenses and add value to your pentest efforts, let us know!