This blog was previously published on blog.tcell.io.
Regardless of the size of company you work for, penetration testing is a cornerstone of an application security strategy, especially for companies that need to satisfy certain compliance certifications, such as SOC 2 and PCI DSS. Pen testing is a simulated attack against your web applications or a traditional WAF. By using a controlled attack plan coupled with runtime application self-protection (RASP), you can identify potential vulnerabilities before they are exploited, get pushed into prod, or use it to fine-tune your WAF (if you're into that kind of thing).
It's basically quality assurance for security before you roll out your product into the wild. Most companies choose to outsource their pen testing to third-party testers, while others have in-house pen testers to conduct ongoing assessments. In either case, there are common pitfalls with pen tests that can be eliminated by using RASP to save you time, money, and frustration.
Getting more value out of your application pen test with RASP
Using a RASP tool with your pen test program can get you, your team, or your client on the same page throughout the entire process. Here are five ways using RASP for pen tests will add value:
1. Scoping and documenting the requirements for a pen test
Using a RASP tool like tCell can help with creating the scope of the pen test because RASP gives you the entire attack surface. Load the RASP tool with your application to get a full view of all the API endpoints and routes to be tested. If you're working with containers or microservices and you want to make sure your CI/CD pipeline is also secure, load tCell in a container to see the full list of containers to test and create the scoping doc.
Having a full view of the application will help structure the objectives around the benefits of the pen test. You can more accurately describe how the pen test will satisfy certain requirements, especially if you already use a RASP tool in production to pull live attack data into your test plan.
2. Eliminate duplicated effort
When you're using a RASP product during your pen test, you have instant visibility into what attacks are happening, what part of the app has been tested, and what attacks were successful. Your pen testers will see what's going on in the app so they won't duplicate efforts, saving them time and saving you money.
3. Simplified reporting and documentation
It seems like a no-brainer, but a pen tester could forget to document the test by not taking notes, taking notes, or logging activities. RASP is already doing most of that for you. You can easily export your attack behavior and successful breaches into a report for your security manager and CISO.
4. Creating and testing a policy and plan
There are two schools of thoughts on whether to do a pen test on a production environment or an identical test environment, but we'll save that for another blog post. Just assume that the pen test will happen on the test environment that mirrors production. It's important that when you cause an incident during your pen test that your incident response team responds accordingly. A few benefits of having a RASP tool enabled is that it can be deployed in a test environment as well as production so that you have the same setup and your app will behave identically in both. Additionally, RASP will trigger alerts to your incident response team or SIEM so that process can be tested and refined as well.
Typically, WAFs are easy to bypass for a skilled pen tester. So, if you're doing a pen test in a production environment, having a RASP tool can give an extra layer of protection while your security team uses the results to fine-tune your WAF rules.
5. Get real results from a pen test
As mentioned earlier, you can match your environments exactly, but there's another level of value you can get from having RASP in both prod and pre-prod. If you already have a RASP in production, you're getting legitimate attack data that you can use to model your pen test after. You won't have to worry about the results of your pen test being inaccurate because it didn't match the production environment. You can provide real, quantitative improvements to the development team.
Even though pen tests are common security tactics for innovative companies, but they are not without their faults. Using a RASP tool will give visibility into your pen test engagements that will not only improve the overall process—from defining the scope and objectives to executing the plan and writing the report—but will also improve the legitimacy of your results. At the end of the day, your recommended improvements will have a real, direct impact on the effectiveness of your appsec program.