Anh Pham: The old way of doing pen tests just feels like sending snail mail in the new age of Slack and instant messaging. Once you know about a request and once you've patched it, your environment has changed and you now have new weaknesses that you have no idea.
Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. The more I'm exposed to the world of penetration testing, the more I come across different confusing acronyms and terms. The latest being PTaaS, which I do understand stands for penetration testing as a service. But what does that actually mean? On this episode of The Tea on Cybersecurity, Anh is returning to give us a bit more clarity on this topic. We will be understanding better what PTaaS is, how it differs from a traditional penetration test, why businesses should be looking more into this type of service and everything in between. So let's get into it. Hi Anh.
Anh Pham: Hi Jara. Thanks for having me.
Jara Rowe: Yes, I'm so excited to talk to you. I know you are very experienced in penetration testing and I feel like you're our go- to expert right now for PTaaS.
Anh Pham: Yeah, I mean I can... I know enough to be dangerous, I would say.
Jara Rowe: Yeah, so just in case someone hasn't listened to any of the previous episodes you've been on, please go ahead and introduce yourself.
Anh Pham: Sure. Hi everyone, my name is Anh and I'm currently the director of penetration testing and security service. Here at Trava, I lead our penetration testing team providing expert penetration test engagement to our customer. Very excited to be here today to chat about PTaaS or penetration testing as a service, what it is and how it can help everybody protect themselves against emerging threats.
Jara Rowe: Fantastic. So listeners, I just want to go ahead and point out a few episodes that we've had about basic penetration tests. So if you want to go back and listen to that, the first one is called Unveiling Vulnerabilities: The Power of Pen Testing and Cybersecurity. And then the other one is Proving Compliance and Security Effectiveness Through Pen Testing. So those go over a little bit more of the basics, which we're not fully getting into on this episode. But again, to make sure that we have a clear understanding, I am going to ask Anh what is penetration testing and why should a company get one in the first place?
Anh Pham: Penetration testing or pen testing as people like to refer to it, is basically hiring ethical hacker to break into your system environment before the bad guys do. Actually a pretty important security control because it's kind of like paying for someone to try and rob your house. You know that you have windows and wall in place, but you really want to validate that those are working. So conducting a penetration test is really an exercise of validating that all your controllers are working and functioning and actually protecting your data and asset.
Jara Rowe: All right, fantastic. So what's the difference between a one- time pen test and PTaaS?
Anh Pham: A one- time pen test is basically what it sounds like. You bring in a team of experts once. Usually once a year they test your system, write the report, and give the report and then you're on your own until the next pen test, would normally happen a year later. It's a snapshot in time kind of engagement is useful. It reviews vulnerability and weaknesses that you need to address. But it's limited, especially in today's world when environment are constantly changing. You are pushing changes every day, you're making changes every day. PTaaS on the other hand is meant to be ongoing, so you're taking that one- time pen test and put it in a framework, so more repeatable and continuous. You get access to expert tester, real- time finding, real- time testing, and really just be able to basically replicate the benefit that you get from a traditional one- time pen test just continuously throughout the engagement period, throughout the subscription period.
Jara Rowe: Okay. So one-time pen test is just like a snapshot in time and then PTaaS is ongoing, repeatable, so it's more beneficial as you change things in your environment. Is that correct?
Anh Pham: That's correct, yes.
Jara Rowe: Okay. So what are... Again, I feel like you were already answering this a bit, but what are the main advantages of using PTaaS?
Anh Pham: Using PTaaS actually brings quite a few benefits over the traditional one- time pen testing. But to summarize them, I can think of three main advantages of markets benefit. One is speed and flexibility. You get started on tests faster. You don't have to spend weeks on style documentation, questionnaire trying to scope your engagement, trying to scope your environment. You go through the scoping process once at the very beginning and then you can get tests executed pretty much any time throughout the subscription period. You also get access to on- demand retests when you have fixed something and you want your fix to be validated. And in your testing cycle get adapted to your release and gen cycle too. So you get tests that get executed that makes sense for your environment, and not just a once a year kind of thing. You get real- time visibility and collaboration. So finding pop- up at their discover, which mean your internal team, so these are your developers, your internal IT team, your security team, your networking team can jump in right away and start fixing them. And then once those are fixed, you get access to on- demand retests again, which means that penetration tester can come back and validate that your fixes are working. And then the last thing is really continuous security coverage. As I mentioned earlier, LV body environment is constantly changing and it's probably changing quite a lot, and a lot faster than once a year. So doing PTaaS gives you that continuous coverage that you normally wouldn't get with traditional one- time pen tests.
Jara Rowe: Yeah, and again, especially for startups or SaaS companies, you're implementing more things from feedback from customers and prospects. So this definitely seems beneficial when it comes to that. Okay, so onto another acronym that I've come across in the world of penetration testing, CTEM, which I understand means continuous threat exposure management, but how does PTaaS relate to CTEM?
Anh Pham: Yeah, so CTEM is a much more comprehensive framework around managing exposure to threats and is executed continuously. PTaaS is basically an important piece of CTEM. So with CTEM, it's all about continuously identifying, prioritizing and mitigating your exposure to threats. PTaaS is the part within CTEM that helps you validate the exposure. So you're not just saying, we have a list of a hundred items that we think is risky. With PTaaS in the picture, you now can actually say that within this list of a hundred items, 10 have been validated, and can be actually exploited and lead to exposure and breach. So let's focus on them first. So the two really go hand in hand. CTEM, sort of how you see the big picture and PTaaS is a test that you can perform to make sure that you're just not guessing and spending money where it don't make sense.
Jara Rowe: Yeah, definitely don't want to guess and definitely don't want to spend unnecessary money either. Okay, so I have a better understanding of what PTaaS is, but what kind of data and systems do PTaaS providers usually test?
Anh Pham: So pretty much anything that traditional pen tests, you would expect from a traditional pen test. So anything that matters to your business. This could be your public website, API, mobile application, infrastructure, internal network. And it's also your external service. Oh, it's also your internal service. So it's not just the external stuff like what I mentioned earlier. A lot of PTaaS providers can also test internal tools. So these are one- time application, internal subnet, internal devices. The bottom line is if it's important to your business and it could be a way for an attacker to get in, it's probably worth testing.
Jara Rowe: Absolutely. So again, I can imagine before I start the question that it probably differs from company to company, but how does PTaaS actually work from start to finish? I guess you can generalize it as much as possible.
Anh Pham: Yeah, so as I mentioned earlier, the PTaaS process are a lot like a traditional pen tests. Usually start with the customer by themselves or the customer and the PTaaS provider trying to work together to figure out what needs to be tested. So these are the scope. It could be a web application, an API, the entire cloud environment or a combination or mixture of all those. Once that's clear and defined, then the pen test team actually gets to work, right? They run automated scans to catch the high level stuff, the easy low- hanging fruit, and then they also dig in manually to find the trickier and harder to find what vulnerability and weaknesses. And what makes PTaaS different is that it doesn't stop there. It also includes ongoing vulnerability scanning, attack surface discovery. Which means if something new pops up after your last test, like a new subdomain or service, it's going to get included in your next test because you're getting continuous testing. So that way your testing always reflects your real- world environment that's constantly changing, not a snapshot from two months ago. With PTaaS, you also don't have to wait around for a big report at the end. Once you complete your scoping and you actually get into the engagement execution phase, you get results all the time your test happens. So a issue I found is shared in pretty much near real time, and you can start fixing them right away. Once you fix a certain issue, you can ask for a retest and then the expert PTaaS provider, the pen test that can go in and validate that your fixes are working.
Jara Rowe: Yeah, that totally makes sense. So are there any common misconceptions people have about PTaaS?
Anh Pham: One of the biggest misconceptions is probably that PTaaS would really just glorify automated vulnerability scanning with a dashboard. And to be honest, there are some vendors out there that do that. They lean heavily on automated scanning, automated testing. But the thing is with penetration tests, those tools can be limited in the capacity or capability to pick up complex change level, change weaknesses or business logic flaw. With PTaaS, you actually combine the power of automated continuous vulnerability scanning with manual human led penetration tests. So it's not really just automated scanning. You're actually getting manual tests there as well. Another myth is that most people think that PTaaS is a one size fit all kind of thing. So you sign up for PTaaS engagement, you pay a fixed subscription fee and then you have the be at the mercy of the provider on what they test, right? A good pen test provider actually does it a little differently. They try to understand your scope, your environment, your industry, your exposure, and then customize your testing lifecycle to match that into what makes the most sense for your business.
Jara Rowe: All right, so you were just mentioning automations and I would assume that you would have to have some sort of platform to be able to automate. So how businesses trust that a PTaaS platform that would be used to perform these services are secure themselves?
Anh Pham: That's a fair question and the process is honestly not very different from how you would treat any other critical service or supplier or vendors. You want to make sure that you check and make sure that your PTaaS provider has a strong security program and they have implemented robust security control in place, and they actually also get frequent testing done on themselves as well. Additionally, I know certification often don't equate to good security, but it's still a good practice to make sure that your PTaaS vendor follows any established frameworks like SOC 2, ISO and NIST CSF. So basically treat your PTaaS provider like other critical vendors since they're touching your sensitive system and data all the time and they actually know about your validated real weaknesses. You want to make sure you do your due diligence. Ask for their security policy, vet the security program, check how to handle your data and make sure they pass all the same scrutiny that you would normally do on any other type major provider or supplier.
Jara Rowe: For sure. We've talked about the importance of third- party vendors and how you take on their risks as well. But like a PTaaS provider has I feel like the most access to all of that information, so I would definitely make sure I would vet them if they have a lot of access. So again, we were just talking about automation a little bit, which I know AI fits into this conversation and I don't think you can have a conversation nowadays about any topic that doesn't include AI in some way, shape or form. So how is the PTaaS market evolving with AI and automation?
Anh Pham: So similar to pretty much every other market, you go online, you see AI everywhere. Everybody is mentioning that they use AI and there's good and bad. So AI's large- language model is making everything faster. It's making it a lot easier to hunt for low-level, low- hanging fruit or easy weaknesses. But the part that AI's still lacking is sort of that human creativity in PTaaS. And if you ask a lot of ex- pen testers, they're going to say that PTaaS is about 50% science, 50% creativity. So if you're just relying on AI tool only, you're actually missing a lot of stuff. So AI helps speed up the process. It actually helps a lot of PTaaS vendors carry out engagement more effectively and more frequently. But you still want to make sure that your PTaaS provider is incorporating human element into the process well, and not just giving you an AI pen test platform.
Jara Rowe: Yeah, definitely. If I'm going to pay for a pen test, I want to pay for the full thing and not just half of it relies solely on AI.
Anh Pham: Right, and maybe one day AI will get there. It's certainly... It's not today.
Jara Rowe: For sure. So do you think PTaaS will become the standard way businesses handle security testing in the near future?
Anh Pham: Yes, 100%. The old way of doing pen tests just feels like sending snail mail in the new age of Slack and instant messaging. Once you know about a request and once you've patched it, your environment has changed and you now have new weaknesses that you have no idea. Similar to everything else that moved to a continuous model, PTaaS is obviously the new way of doing penetration testing for most if not all companies.
Jara Rowe: Yeah, that definitely makes sense. So Anh, what's one key takeaway about PTaaS you'd want every listener to remember?
Anh Pham: I normally tell people that security doesn't have to be this low, expensive, meaningful model of inaudible that you have to think about. I normally advise people to start approaching security one thing at a time. Start small, determine what makes sense for you, and then scale and grow as your business scale and grow. PTaaS enabled that, so it make testing more accessible, more flexible. It's just a lot more aligned with how businesses work today and what real world environment reflects today. You don't need to be a big company. I have a huge security team to start tackling security with PTaaS. You actually can get started right away within days a week and you get real, validated feedback that can help you improve your security posture.
Jara Rowe: Yeah, and that's very important. The Tea on Cybersecurity definitely talks about how it's important to make sure that everything's secure and how we should start early on, especially when we're forming a company. Start from day one, it's important. All right Anh, we cover a lot of information here. But is there anything else that you would like to say or make sure that we all get when it comes to PTaaS, before I let you go?
Anh Pham: If there's one thing for you all to remember, staying ahead of threats, doing proactive security doesn't have to be complicated. A large start small, focus on what matter the most and then scale as you grow.
Jara Rowe: Absolutely. Well, Tea on Cybersecurity listeners, like Anh said, I hope you really gained a better understanding of PTaaS and cybersecurity in general. Anh, thank you so much for your time.
Anh Pham: Thanks for having me.
Jara Rowe: Now that we spilled the tea on PTaaS, it's time to go over the receipts. I truly gained a lot of clarity from my conversation with Anh, so let's go ahead and dive into those key takeaways. Receipt one is what is PTaaS and how does it differ from traditional pen testing? So PTaaS is actually a series of penetration testing that are performed over the given engagement period. The service is ongoing and repeatable, which gives companies access to real- time information instead of on a yearly basis, which is what a traditional pen test covers. PTaaS also includes a couple of other services like continuous vulnerability scanning. The next receipt that I have is that companies that use PTaaS don't have to wait for the big report at the end, since this information is shared more on a regular basis. Which leads me to my last receipt. Anh feels that PTaaS is more accessible and more aligned with how businesses are moving as things are ever- changing in any industry. He always talks about how it's easy to start small and feels that PTaaS allows this, as it gives you a great picture of your overall security early on in the founding or starting of the company. Thanks for tuning in to another episode of The Tea on Cybersecurity. Have a good one. And that's the Tea on Cybersecurity. If you liked what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.