Penetration Testing, Cloud Security, Training

New pentest certification exam shows just how complicated the job has become

Visitors crowd a cloud computing presentation at the CeBIT technology trade fair in Hanover, Germany. Today’s columnist, Lior Yaari of Grip Security, explains the three elements of the Cloud Security Alliance’s best practices. (Sean Gallup/Getty Images)

Nonprofit trade organization CompTIA (The Computing Technology Industry Association) on Thursday announced that it is revising its CompTIA PenTest+ certification exam to account for changing attack vectors and surfaces resulting from the ongoing proliferation of cloud services and web applications.

The update to CompTIA’s content highlights the rapidly shifting changes and challenges facing the pentesting/offensive security community as they navigate complex cloud and hybrid network environments and contend with an expanding array of API-related application vulnerabilities.

"The profile of a traditional pentester has evolved to that of a 'product security engineer' and demands better understanding of technology, development environments and deployment processes," said Aravind Venkataraman, senior principal at Synopsys Software Integrity Group. As a result, "universities, alliances and certification providers are trying to keep up with relevant technical content, baseline coverage requirements and methodology standardization."

“Modern penetration testing is pretty different from what it used to be ten years ago,” agreed Ilia Kolochenko, founder of ImmuniWeb. This is for several reasons. First and foremost, "new technologies, spanning from IoT devices connected to the Internet to multi-cloud environments with managed container orchestration solutions, made the reconnaissance, exploitation and pivoting stages of penetration testing considerably more complex and heterogeneous,” he said.

Indeed, "rapid adoption of emerging tech like cloud-native plug & play widgets, microservices, serverless functions, rich JavaScript widgets, etc., is forcing security professionals to think different about how they approach security testing more holistically," agreed Venkataraman. "This means looking at software design, platform configuration, API specs and deployment artifacts – much of which is in the form of 'code' these days. This also means being aware of an application's use of cloud platform controls to be able to look for weaknesses in the underlying configuration that may lead to system-level risk."

On top of tech advancements, pentesters are also facing tremendous scope creep, Kolochenko noted, as they now often have to test “countless systems where corporate data is stored, processed or backed up,” not to mention verifying the security of multiple third-party partners that also possess your data.

Legal and regulatory concerns have increased as well, Kolochenko added. For instance, the act of pentesting a product might violate terms of service as spelled out by certain EULAs.

Bottom line: "The attack surface has increased for nearly all organizations as new technologies are implemented, especially cloud and hybrid environments, IoT devices and web apps," said Patrick Lane, director of cybersecurity product management at CompTIA, in an email interview. "Pentesters must be able to find vulnerabilities on these newer attack surfaces, which require additional tools and processes to accomplish. Cybersecurity certifications must accommodate these newer skills because organizations require them and 80% of HR professionals use IT certifications when making their IT hiring decisions."

In recent months, the popularization of cloud-based services – accelerated by the work-from-home trend triggered by the COVID-19 pandemic – has arguably been among the most impactful IT trends affecting how pentesters must perform their jobs.

This development, said Kolochenko, has introduced “a wide spectrum of new cloud-specific misconfigurations and weaknesses, such as IMDS (International Material Data System) exploitation, excessive IAM (identity and access management) policies or poorly configured cloud storage.” Consequently, “one mistake may provide attackers with all the data and full control over the systems available in your cloud environment. Thus, while providing greater capabilities to automate and accelerate DevSecOps and DFIR (Digital Forensics and Incident Response), cloud may also boost the amplitude of cyber risks.”

The same principle is true for containers, Kolochenko added. “They can bring a lot of benefits to your security and resilience, but if developers or sysadmins lack appropriate security training, the novel technology becomes a powder keg ready to explode.”

In a press release, CompTIA also noted that its amended exam has placed "greater emphasis on proficiency in vulnerability management skills used to plan, scope and manage weaknesses." This, too, is an important differentiation from its test’s previous iterations.

"Vulnerability management skills have become more important because pen testers continue to find more vulnerabilities," explained Lane. "Many of those vulnerabilities cannot be mitigated, usually due to patching or software incompatibilities."

With that said, exactly what skills in particular are most critical to surviving today's current cyber threat environment? According to Lane, an especially significant one is the ability to leverage automation tools to conduct efficient and effective vulnerability assessments.

"The automation of vulnerability assessments goes a long way in finding weaknesses before the enemy does, and many pen testing automation tools are available and taught in the new version of PenTest+," said Lane.

Kolochenko offered some additional suggestions: “Security analysts should consider not just abstracted technical issues but business interests and compliance risks when addressing mushrooming vulnerabilities,” he said. “We cannot detect all vulnerabilities, we cannot fix all high-risk security flaws at once, and we cannot stop all hackers. Risk-based and threat-aware testing and remediation of vulnerabilities is essentially important for a successful cybersecurity program in 2021. Thus, managerial and other soft skills will be priceless for the next generation of cyber defenders.”

In addition, "the approach to program management and vulnerability management to sustain risk assessments across an evolving application portfolio needs to scale," said Venkataraman. "This means carefully choosing the right depth in testing and scanning, but [this] also includes the ability to convey actionable findings 'just in time' to developers within their ecosystem to enable faster fix cycles. Tagging remediation owners within the organization based on type of finding becomes an art that is slowly getting automated through better asset inventory management and better traceability practices."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.