The beginning of computers and technology transformed the world as we know it, creating new opportunities as early as the 1940s. When the door opened up to ample possibilities in the digital realm, cybersecurity concerns later began to follow. As a result, security methodology and efforts have been around since the early 1960s and continue to evolve with the times.
The Evolution of Penetration Testing
1900s
James P. Anderson was one of the early pioneers of penetration testing, dating back to the 1970s when fully securing computer systems remained a relatively new idea. During this time, “Tiger Teams” were one of the earliest types of hackers. Anderson’s journey with computers and his distinguished contributions to information security began in 1959 when he earned a patent for one of the first multiprocessor systems, the D-825. He is acknowledged for the invention of the reference monitor later on in 1972, the audit trail-based intrusion detection in 1980, and he was recognized with the National Computer Systems Security Award in 1990.
Anderson created an outline for a series of steps to test the security of systems, including how to identify vulnerabilities and plan successful, authorized attacks to exploit those weaknesses. This model continues to be applied in penetration testing engagements.
As developers proceeded to introduce new technology, concerns over safety and information security accelerated. “At the 1967 annual Joint Computer Conference that brought together more than 15,000 computer security experts, government and business analysts discussed concerns that computer communication lines could be penetrated, coining the term and identifying what has become perhaps the major challenge in computer communications today.” (The History of Penetration Testing) By the 1980s, Congress passed the Computer Fraud and Abuse Act.
In the 1990s, a noteworthy tool — the security administrator tool for analyzing networks — was developed and later coined “SANTA”. This tool ran a series of tests on a network to discover vulnerabilities, along with a report of future potential threats that may arise.
2000s
Many early developers helped pave the way for penetration testing engagements, eventually leading to the development of a modern pentest program today. With speedy development, rapid feedback, and continuous improvement staying top of mind, Agile began to take off in the early 2000s with the adoption of the Agile Manifesto.
Image from The History of Agile
Sprints help with the agile principle of delivering a working product and are at the heart of agile methodologies. With sprints becoming more prevalent, traditional pentesting started to lag behind. Traditional models rarely focus on speed, automation, and agility, making prioritizing simultaneous development and remediation efforts a more difficult task for engineering teams.
As the number of companies following a DevOps model increased, so did the demand for agile and rapid pentesting. The business landscape today is ever-changing, and that’s where traditional pentesting falls short — businesses considering app development, cloud services, and other modern, advanced technologies that help accelerate business need a service that embraces the agile methodology.
More recently, the expanded remote workforce in 2020 and the shift to digital sparked the need to reform digital disruption tactics. Amid the larger move to “Anything as a Service” (XaaS), Pentest as a Service (PtaaS) comes in today as a modernized approach to penetration testing.
The Transformation from Pentesting to PtaaS
The term XaaS caught attention right before the start of the 2000s with Salesforce introducing their software-as-a-service (SaaS) model. XaaS generally refers to an array of services companies can purchase from a provider related to cloud computing and remote access. Examples include:
- Pentest as a Service (PtaaS)
- Software as a Service (SaaS)
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Data as a Service (DaaS)
What is PtaaS?
PtaaS delivers speed, scope, collaborative testing, and retesting to ensure development teams remediate risk quickly and innovate securely.
It brings value to teams to pave the way for how DevOps manages security, notably in comparison to traditional pentesting. PtaaS differs from traditional pentesting by providing a modernized cloud-based platform with software integrations and more automatic reporting, where pentesters are able to focus more on testing for heightened security, speed, and affordability.
PtaaS platforms operate faster than traditional testing methods and tools in addition to providing detailed reporting on critical security vulnerabilities. PtaaS also enables:
- Effective workflows
- Shorter scheduling times
- Real-time insights
A PtaaS platform ties together automation tools with a human element of expertise from a community of highly-vetted experts who conduct the testing.
Cybersecurity analysts and industry experts today in 2021 are viewing PtaaS as a key market driver, as it continues to gain recognition as a practice for long-term business success. Learn more about PtaaS and see how Cobalt’s Pentest as a Service (PtaaS) platform empowers teams with an innovative, modern approach to pentesting.