Shutterstock – ArtemisDiana
The annual penetration test (pentest) dates back to a time that no longer exists in the IT world. When applications, cloud resources, configurations and interfaces are constantly changing, a single inspection appointment per year is like a selfie from the day before yesterday: nice to look at, but quickly outdated. As the dominant component of IT security, the annual pen test is too static – and in the worst case, even dangerously deceptive. Because what was tested was a reality that shortly afterwards no longer exists. In addition, there is the antiquated operational reality of classic pen tests as a cost- and time-intensive individual project: define the scope, select service providers, coordinate appointments, test, evaluate the report, prioritize measures. This makes perfect sense from a technical perspective – but it scales poorly. Each new test run creates new coordination, new internal binding and new friction. There is also another problem: the lack of staff. According to the European Union Agency for Cybersecurity (ENISA), companies continue to face significant difficulties in finding the necessary cybersecurity staff.
Find out more and get to know VORNAC
Security is not a project, but a continuous process
The use of automated tools and processes is generally considered a solution. This change is also logical from an engineering perspective. For years, the DevSecOps concept has called for security checks to be integrated more closely into development and operation – i.e. earlier, more frequently and closer to the real life cycle of applications and infrastructures. A workshop paper by IEEE EuroS&P explicitly describes DevSecOps as an approach that relies on continuous security testing. Gartner summarizes this trend under the term “Continuous Threat Exposure Management” (CTEM), which also means a systematic approach to continuously and largely automatically assess the attack surface and exploitability of assets.
New providers are in demand
This shifts the standard for choosing a provider. What is no longer required is the individual test, but rather a model that fits into ongoing operations: with higher frequency, less organizational friction, comprehensible results and auditable documentation. In this context, trust in a provider does not come from certificates or big names, but from reliability in everyday life: clear processes, reproducible results and a solution that also holds up under real operating conditions. The pentest provider VORNAC positions itself in this area of tension. Their approach: Pentesting is not an occasional one-off project with long lead times, but rather as a continuous, automatic process with clearly prepared results and auditable reports. According to VORNAC, this reduces the coordination effort by up to 90 percent and the time savings can also be up to 90 percent. During the tests, a certified pentester accompanies the project and helps with mitigating and interpreting the findings. This expert can also create a valid test plan using various gray and black box tests. As far as the VORNAC infrastructure is concerned, everything is hosted in Germany, because digital sovereignty is becoming increasingly important, especially in regulated or sensitive areas.
Try VORNAC now
Results that can be classified, prioritized and used practically
However, more important than the promise of “more automation” is the combination of technical connectivity and comprehensible quality of results. “With our approach we have a much higher coverage than with the usual pen tests,” says VORNAC Managing Director Arthur Raess. “We don’t just deliver tool output, but results that can be classified, prioritized and used practically,” continues Arthur Raess. This is not an academic subtlety, but rather crucial, because there is a long way between a list of findings and a reliable security assessment. If you want to shorten it, you have to provide results in such a way that they can be used directly in security, audit and operational processes.
Reference application in healthcare
The example of the reference customer mbits shows how the VORNAC model works in practice. The software company chose VORNAC for three reasons: continuous security testing instead of classic one-off projects, clear results for direct implementation and transparency about its own security status. This is more than just an increase in convenience, especially in healthcare. It is proof that security can be organized reliably, comprehensibly and resiliently in everyday life. “We develop software for hospitals – security is not an option, but a requirement. Our partners must have just as high standards of quality and reliability as we do,” says mbits CEO Michael Müller about the collaboration with VORNAC.
Conclusion
The annual pentest will not disappear overnight. But he loses his sole claim. As IT becomes more dynamic, security resources become scarcer and evidence becomes more important, the audit model must also change. The annual mandatory appointment is gradually becoming an ongoing process of modern security work. New providers, such as VORNAC, who can translate this change into reliable, understandable and operational processes, are now positioning themselves as trustworthy partners among those responsible for security.
Everything about VORNAC
