The Role of In-House Penetration Testing

Security adviser Roger Grimes once famously wrote, "To beat hackers, you have to think like them.” Grimes explained that security professionals should step into the attackers’ shoes and seek how to break into corporate systems, discover weaknesses, and create robust security countermeasures. Walking the walk of an attacker is what penetration testing is all about.  

What is In-House Pen Testing? 

In-house pen testing is, quite simply, when any pen testing efforts are deployed from within an organization. Instead of (or in addition to) hiring a third-party service, businesses can run their own pen tests to assess the state of their security. 

 Though some think a full, dedicated in-house pen testing team is needed in order to run a successful pen testing program, organizations can start small, with just one employee or security teams taking on pen testing duties. Organizations can utilize penetration testing tools that have automated features which can be used by security team members who may not have an extensive pen testing background. These tools can be used for tests that are easy to run, but essential to perform regularly, like validating vulnerability scans, network information gathering, privilege escalation, or phishing simulations. 

According to the 2023 Penetration Testing Report, it’s clear organizations realize the importance of internal penetration testing since 48% of the 2023 Penetration Testing survey respondents have in-house teams. This percentage marks a 7% increase compared to the 2022 results.  

In-House Penetration Testing Efforts

Image

Why Do Organizations Have In-House Pen Testing? 

Having in-house pen-testing capabilities can quickly expand efforts, allowing for more frequent tests and coverage of a broader scope of the IT infrastructure. It also ensures that changes to the infrastructure are more efficiently assessed to ensure new security gaps aren’t created.  

According to the report, organizations conduct penetration testing for multiple reasons. 69% report that they perform pen tests for risk assessment and remediation prioritization. By having internal knowledge of the organization, teams can tailor remediation plans knowing what the available resources are and their limitations. They can outline the best and most effective changes that are also achievable and help implement them. 

58% reported using in-house pen testing for regulatory compliance mandates and 40% for company policy requirements. Having an in-house pen testing capabilities ensures that these standards will be met and won’t fall through the cracks. With continuous testing, organizations can far exceed the bare minimum conditions of a mandate or regulation. 

Reasons for Penetration Testing

Image

No matter the driving reason, it is essential not to pen test to check a box. Businesses should take the next step forward and take all necessary steps to mitigate identified weaknesses. A pen test program does not end with discovering vulnerabilities; a formalized program can help organizations achieve maximum coverage and impact. 

Every pen test involves several steps, from scoping and intelligence gathering to threat modeling, analysis, and reporting. However, the specific goals, methodology, conditions, and targets can differ quite a bit depending on whether the organization chooses in-house or external penetration testing. 

The Challenges of In-House Pen Testing 

While in-house pen testing appears to be on the rise, 52% of organizations do not have an in-house penetration testing team. Many factors contribute to this finding, the most important being the lack of required talent. 

The skills gap is a persistent issue in the cybersecurity industry, affecting the establishment and staffing of penetration testing teams. In fact, according to the (ISC)² 2022 Cybersecurity Workforce Study, the cybersecurity workforce gap has grown more than twice as much as the workforce, with a 26.2% year-over-year increase.  

In addition, the tech and cybersecurity sectors have been massively affected by The Great Reshuffle, which created further challenges in retaining staff. In a field with so many job openings, there wouldn’t be uncommon to be more turnover and instability in any team building. 

Other factors affecting the organization’s ability (or decision) to maintain a pen-testing capacity are the lack of leadership buy-in and the consequent lack of required funding. These findings, coupled with the response that there is insufficient need, may indicate a lack of perception and prioritization.  

Using Tools to Deploy In-House Pen Tests 

Using pen testing solutions can help organizations overcome many of these challenges. While the skills gap may prevent an organization from being able to find and hire advanced testers, security or IT professionals don’t need have much experience with pen testing if they’re aided by effective tools. An automated commercial pen testing tool, like Core Impact, can guide them through routine tests and techniques. These tools can also be deployed without adding to your headcount, making them a cost-effective way to show the benefits of in-house pen testing efforts.