How ethical hacking and pentesting is changing in 2022
Cybersecurity and information technology are constantly changing, so it’s no surprise that ethical hacking and pentesting are evolving with it.
CompTIA recently performed a job task analysis for its PenTest+ certification, and organizations are seeing changes in the job role. It's also an industry that's seeing tremendous growth as more organizations continue to invest in web applications and other technology that can potentially be exploited by malicious actors.
According to Patrick Lane, CompTIA’s director of certification product management, the global pentesting market size is on a growth trajectory from $1.6 billion to $3 billion by 2026, a 13.8% growth rate.
“The market is going to double over the next five years as far as funds go. Opportunities, cloud pentesting is growing rapidly,” Lane said in a recent Infosec Edge Webcast. “We’ve got to train more people to do these jobs.”
3 ways penetration testing is changing
Infosec’s principal security researcher, Keatron Evans, mentioned in a recent webcast on penetration testing that cloud components to pentesting are on the rise, which is something Lane echoed.
He said there is a new trend and emphasis on cloud pentesting, a focus on segmentation testing, and pentesting containers and APIs.
1. Emphasis on cloud pentesting
“My company’s done about 17 large pentests this year, 2021, and every single one of them had a cloud component to it. That’s the first time that’s happened,” Evans said. “And most of them had more than 50 percent cloud involvement. You want to make sure you’re properly marrying your understanding and master of cloud technologies to your building up of your pentest skills.”
Lane echoes these sentiments. “Cloud pentesting is growing rapidly,” he said. “If more of these systems are in the cloud vs. on-premises, you need to learn how to do cloud penetration testing because you’re going to be pentesting hybrid environments — which are partially in the ground and partially in the cloud.”
2. Focus on segmentation testing and zero trust
Segmentation testing is also becoming more popular, said Keatron.
“I’ve always done a lot of penetration testing for companies in the financial sector,” Keatron said.
These companies have regulations, need to segment credit card data and more.
However, the focus on zero trust is expanding the focus on segmentation testing to organizations outside the financial sector, Keatron said. By its nature, zero trust requires an understanding of where those segments in an organization are and where you should or should not be trusting.
“I’m seeing an uptick in organizations asking us to help them find out where those segmentation points are so they can actually start to build a zero-trust framework within their environments,” Keatron said.
3. Pentesting containers and APIs
Keatron said a lot of the things he’s testing now aren’t real servers or virtual machines, but rather things like containers or other services. For example, Keatron said his team is testing a lot of APIs vs full-fledged applications.
“A lot of times the website that you’re testing doesn’t even exist until, for example, an API triggers some function and makes that website exist. And it might exist different from me than it would for you because the APIs decided you need to see the website a certain way.”
In short, these new, more complex mechanics and architectures that are happening with cloud and containers and APIs need to be tested for security.
“If you’re coming into the industry or are already in it and want to beef up your skills you need to focus on that,” Keatron said.
Future of penetration testing careers
“We have to deal with the rise in regulation and compliance that mandate pentesting,” Lane said. “Most regulations only require a few pentests per year, maybe two. We should probably be doing more pentests than that annually, and more vulnerability assessments. And so we’ve got to train more people to do these jobs.”
Pentesting, like the cybersecurity industry at large, has a lack of skilled professionals to work in the field. Lane said a lack of pentesting and red teaming skills rank in the top 10 when it comes to the biggest skills shortage in cybersecurity. Another challenge it has is the ability of security teams to communicate with the business side. You need to be able to report issues like data breaches and phishing attacks.
With this evolution and the continual threat of bad actors, pentesting is here to stay as an important part of cybersecurity.
“We’re going to be battling bad actors for the foreseeable future,” Lane said.