Despite advancements in the last decade, pen testing still requires significant improvements to effectively address security challenges, says Robin Fewster, Senior Manager of Security Testing and Cyber Defence at Hargreaves Lansdown.
Robin’s insights are drawn from a career that spans over 23 years. Starting as a software developer, he quickly transitioned to “breaking things” as a penetration tester in the early 2000s. His experience includes roles at major organisations like Mastercard, where he was involved in the formation of the PCI Standards Council, as well as consultancy work and internal security roles at companies like Sage.
In a valuable discussion with Chaleit’s CEO, Dan Haagman, Robin touched on several key themes, from the challenges facing the penetration testing industry to the importance of partnership and the need for a more flexible, updated approach to cyber security.
Watch the interview and read the main takeaways below.
You still see a lot of cyber security consultancies doing pretty much the same kind of things that didn’t really quite work out so well.
The state of penetration testing: Same but different
The penetration testing industry has not changed significantly over the past decade. Despite some improvements, many of the core issues Robin identified in a talk at CRESTCon in 2014 persist today.
“You still see a lot of cyber security consultancies doing pretty much the same kind of things that didn’t really quite work out so well,” Robin noted.
He acknowledged some progress, such as better integrations with issue trackers and improved portals for organising tests. However, there are still “the same old problems,” like extensive lead times, overreliance on rigid scoping documents, and a lack of communication during the engagement.
Penetration testing has become commoditised to some extent, with many firms offering standardised, automated solutions without considering the specific context of the organisation they’re testing.
“You can make money as a pen testing firm and deliver pretty bog-standard methodologies because it’s a regular requirement, a tick-box exercise,” Robin said. “The industry is full of extremely smart people that apply critical thinking on a daily basis. It’s just that sometimes they’re forced to deliver services in a certain way.”
Robin believes that the industry needs to focus more on personalised and context-aware testing. By understanding the specific threats and vulnerabilities unique to each organisation, penetration testers can provide more valuable and actionable insights.
A more flexible and integrated approach to pen testing would allow security consultants to work more closely with internal teams to understand their unique security needs and deliver more meaningful results.
The value of partnership in penetration testing
The current approach to pen testing, relying on external consultants and following a rigid schedule, is inefficient. External consultants are often preferred over internal teams despite the latter potentially being more qualified and knowledgeable. This happens because of organisational culture, regulations, and compliance expectations.
While external pen testers have certain methodologies and capabilities, they might not always be equipped to ask the right questions or engage deeply with the internal team, missing out on valuable insights.
Robin recounted scoping meetings in which internal teams shared detailed architecture information, only for pen testers to reduce it to a standard methodology. Instead of filtering out crucial information to fit predefined scopes, pen testers should leverage the detailed knowledge shared by internal teams to deliver more tailored and valuable security assessments.
A more flexible and integrated approach to pen testing would allow security consultants to work more closely with internal teams to understand their unique security needs and deliver more meaningful results.
“When you join an internal organisation, and you become part of the team, you get closer to the developers, security architects, and software architects, and they’ll tell you where the skeletons are hidden,” he explained.
This collaborative approach creates trust and allows for more open communication, leading to more effective security strategies and outcomes.
Compliance: A double-edged sword
While acknowledging the importance of compliance in establishing security standards, Robin also pointed out that compliance requirements can sometimes drain innovation or be a barrier to security testing.
He explained that the focus on meeting specific compliance requirements can lead to a tick-box exercise approach, leaving little room for creative thinking about potential security threats.
Discussing industry standards like the OWASP Top 10, Robin pointed out the challenges of proliferation and the difficulty in applying standards effectively, especially as they sometimes overlap: “If you have a good look at them, they’re pretty much the same categories of vulnerability types or misconfiguration types that are just worded differently,” he observed. “It’s becoming less useful.”
Here, too, the industry needs a more flexible approach, allowing time and space for creative problem-solving and innovative security strategies.
The future of penetration testing
Robin sees automation and integration as critical to the future of penetration testing. Integration with development tools and workflows can also streamline the testing process, reducing friction and improving efficiency.
Looking ahead, he hopes to see a more dynamic approach to pen testing, with shorter lead times, more integrated workflows, and a focus on critical thinking and innovation.
By moving away from rigid, compliance-driven models, the industry can better meet the needs of modern organisations and keep pace with the rapid evolution of technology.
The magic of collaboration is at the core of our engagement model here at Chaleit. We abandon the old hit-and-run model and prioritise making clients more secure through a holistic pen testing approach