Pentesting Trends in 2023
Let’s take a look at major trends that have stirred up discussions on how pentests are performed and what looks promising in pentesting.
The Major Trends
AI and Pentesting
Artificial intelligence has taken every industry this year. We are sure everyone had fun with ChatGPT, Midjourney, and other Generative AI tech out there. It is no surprise this AI revolution has also spread to pentesting.
Tools like PentestGPT can now take the results from other traditional pentest tools and give you insights. For example, if you input a port scan result from NMap (a popular port scanner), PentestGPT will let you know the possible next steps depending on which ports are open, identify known applications, etc. Reporting and data aggregation is made more accessible with tools like Hexway Hive which provides ChatGPT integration to help you carry out better pentest projects, especially the reporting part. As you know, ChatGPT can also generate quick scripts for simple and mildly complex tasks, saving pentesters lots of time.
Not just restricted to Generative AI, artificial intelligence and machine learning, in general, are proving to be increasingly useful in multiple security objectives, whether they are offensive or defensive. Behavioral analytics, AI adversary simulation, advanced threat intelligence, etc are just some of the things AI can do, and it’s just starting!
Pentest-as-a-service is still a very nascent industry, even though some players have already made a strong impression in the market. Pentest-as-a-service or PTaaS is the modern model of pentesting where the services are delivered through a dedicated workspace, always at the disposal of the client. The services are ready to be scaled at one click, and much focus is on automation. With its flexible approach, PTaaS integrates easily with existing workflows or organizations, leading to ever-increasing popularity.
Market leaders like Cobalt, Rapid7, etc have already shown how successful PTaaS could be, providing top-quality pentesting services with the latest paradigms incorporated into practice. Pentest providers and organizations can implement PTaaS and use its benefits too. Tools like Hexway Hive & Apiary are perfect for anyone who wants to embrace the PTaaS philosophy of pentesting. Hive lets you automate pentest reporting and communication with the blue team, and developers through the additional customer portal workspace Hexway Apiary. With features like custom GPT integration, reverse Jira integration, standardized reporting features, custom dashboards, etc, they can prove to be the PTaaS solution you might be looking for all this time.
Smart Contracts and Smarter Audits
Even though the NFT craze has died down and fewer crypto bros are out there, the blockchain industry is thriving. Decentralized apps, whether it is social media apps or payment gateways, are emerging and being implemented on blockchain technology. Smart contracts play a large part in this, which are basically agreements that execute when certain conditions are met during the blockchain transaction. And protecting these transactions is of utmost importance, that’s where smart contract audits come in.
Smart contracts are written in programming languages based on the underlying blockchain technology. For example, Ethereum-based application uses Solidity while others use Rust, Vyper, etc. Now Web3 pentesters do code reviews and audit these smart contracts so that there are no exploitable vulnerabilities. Maybe there is a bug that allows you to do a single transaction multiple times or in the worst case, directly steal money. No, we are not kidding that actually happened, a recent attack saw hackers get away with $34 Billion worth of crypto assets. Hence, the emergence of smart contract security is a necessary trend.
Emerging Tech Pentests
New tech like 5G networks, internet-of-things (IoT) devices, smart automobiles, etc have become a part of our lives, and they integrated themselves so much that we cannot deny our dependency on these technologies. And you can bet that as much these technologies capture the attention of end users, they also gather interest from attackers and threat actors. These fields become a prime spot for pentesters.
IoT devices remain one of the most neglected parts of the pentest world (how many IoT pentesters do you know? Yeah, right). But this issue becomes serious when you realize that medical devices are also part of IoT devices nowadays, sometimes putting lives at risk. Multiple cases of an IoT device being the weakest link have led to ransomware attacks on health institutions. Not even cars are safe! Admin access to powerful panels that allow arbitrary command execution on automobiles tends to pose a major risk. Imagine killing the engine of a Range Rover while it’s doing 100 mph on a highway! Not a good look.
Continuous Pentest and Automation
Gone are the days of pentests being a one-time, annual affair where the vendors provided limited coverage for a few specific bugs. Enter the paradigm of continuous pentest, a modern approach that ensures the attack surface is always mapped and protected throughout the year. This approach is carried out by doing multiple cycles of testing and retesting throughout the year, with strong communication between the testers, clients, and developers to ensure that things are not lost or overlooked (no more one pentest report with a block of text).
And the main player in executing continuous pentest is automation. Tasks like schedule scans, parts of reporting, asset management etc are done through tools. Further, the DevSecOps approach is an important aspect where security and testing is made an inherent part of the Software Development Life Cycle, leading to a more robust and secure product. Combine all of this, and your worries about that new zero-day or this APT campaign just be reduced.
As we look ahead to the future of pentesting, staying up-to-date with these major trends and embracing the power of AI, how PTaaS and continuous pentesting is creeping into every organization and how important it is to keep smart contracts and newer tech secure, will be crucial for keeping pace with the ever-evolving threat landscape. By adopting these practices, pentesters can better safeguard digital assets and maintain a proactive stance against emerging cyber threats.