Good morning and welcome to the first Pentest People Tech Bites of 2023. Hope everyone has had a good break. My name is Eman and I present these weekly cyber podcasts. Today's topic is on PTaaS, I am joined with our two directors, Gavin and Robin, who will be discussing PTaaS in more detail. It's great to have you both on today. Can you tell our tech bite listeners a bit about your background? Gavin? Shall we start with you?
Yeah, so my my background. Well, I mean, started in defence, you know, I wanted to configure firewalls and protect networks against attackers and things like that. But it turned out there was actually a little bit better at breaking things, and then fixing things. And so I could hope to pentesting as a junior pentester. And to be honest, this is my dream, my dream job. And that's stuck with that for a number of years. And then worked through Random Storm and then eventually got to got together with three great guys and got started up with Pentest People.
I think it will be great to discuss the technical side of PTaaS in this podcast. Robin, do you want to tell our listeners about your background?
Im more of the commercial guy in the management team. I was more born to be in sales and left uni and got a job selling printers and around that time the internet was kind of born. So just sort of fell into Internet security and sort of from the 2001, I've been involved in security status. So new business sales through and through this is what I do, which led itself into starting a company.
It's amazing to see the sales side as well as the technical side combined together to establish Pentest People. So now let's discuss PTaaS. What actually is PTaaS?

‍
Yeah, I think it's not to be confused with SAS, you know, we've taught software as a service and PTaaS and they sound similar but really PTaaS is more than a system, it's more of a methodology. Anyone can adopt the PTaaS, advocates of PTaaS basically understand that there is a need to continually test systems and applications, it's not something that you do as a one off, we often say it's a bit like doing an MOT on a car, is it valid at the point of mot, once the cars driven for a week or so it's out of date and problems might have occurred. So basically, it's where you have you merge if you like, or you blend the output from a manual test, we call them remediation tasks with the output from an automated test. And you've combined them into a single work stream, that becomes easier to manage, easier to track and easier to distribute. That's kind of PTaaS in in a nutshell, Gav, if you have anything to add?
Yeah, absolutely. It's the continual testing and the huge benefits from the Pentesters perspective, you know, traditionally, you would have an assessment performed on an annual basis. And once a year, as Robin said, a lot can happen. Time period, you know, new vulnerabilities can appear. And then we'll go back a year later. And we'd do the assessment. And you know, and maybe 90% of the vulnerabilities, we found that the same things we found last year just kind of go through everything. And the client would explain the challenges that they have for the obvious challenges such as resources, they might not have the budgets to fix issues, but ultimately their 100 page PDF report on how  you deal with it, how do you manage that? Yeah, these are these PDF wants to be two, three and four, two pages long. Now, you cant sent that out to departments, and it's just not scalable. It's just not manageable. So, yes. PTaaS is in part trying to solve that very real problem.
I think I just closed that off. By saying that without adopting in PTaaS test methodology, what you're actually left with is a series of isolated tests and reports that are often contradictory. And what effectively means if, if you like, is that your vulnerabilities exist for a longer period of time, which extends the threat we know. In other words, it gives that a hacker longer to to explore the network. And it's harder for organisations to realise the benefit from the penetration test.

‍
So as a byproduct, you're shortening the amount of time a hacker would have to leverage vulnerabilities within the network. So it's a concept for continuously testing. Would you say that there are a lot of benefits having PTaaS?
Yeah, and I think enough to consider the benefits. I think if you have to take a step back and look at some of the challenges that does exist with traditional penetration testing methods? So I think you have to question earlier in the old world, what your the deliverable was a month ago, like an annual PDF report, or an Excel spreadsheet. So managers  would waste a lot of time exporting that information from these documents into a system or into a workflow. Often, they will cut and paste the PDF and just distribute distributed via email. That makes the tracking of the tasks inherently difficult. When you're sending out dissector reports to multiple people, it almost becomes impossible to manage the activity from that point. It also opens up the process to abuse you know, you're relying on an end on the member of your team to fulfil the action. There's no easy way to kind of measure that progress. And, more importantly, it's kind of slow, it's slow. It really it takes longer. But these are these are the sort of issues with traditional testing.

‍
Gav. What are your thoughts on traditional testing?

‍
Yes, it's a funny one, it's, I think there's this kind of expectation, that's just the norm. And so everyone out there, by everyone, I mean, most pentesting companies and security security firms have just continued to do this, because it's the norm and that hasn't, you know, that they need there needs to be disruption. But obviously, the more and more discussion around it means better approaches to it. Which, obviously, that's, you know, that's kind of why we're pushing the PTaaS approach so much because things need to change. You know, we need to get things secure.
I think also, people are testing more, as well. And I think, you know, back in the day, people test annually, often manually came a lot easier to action output from a test report, you have 12 months to do it. When you're in test every week or every month, there's a whole tsunami of information and mediation Tax Court will fall on that process. So the need to sort of digitise this and make it more efficient as we get more relevant. Now, when you say and things need to change, I think it's the fact that we're testing more, there's more action, you've got to streamline, it's becoming quite onerous for people.

‍
And how would you say PTaaS addresses these challenges?

‍
I think if you put it simply into a sentence, it effectively give organisations a shorter window of risk. Because you're testing more often you're reducing the age of vulnerabilities, you're effectively finding vulnerabilities faster. That is speeding up the remediation project process sorry. So in simple terms, vulnerabilities are existing for a short period of time on the network. Therefore, shorten your threat window, your threat exposure, and essentially, it gives the hacker less time to exploit vulnerabilities in your network and systems.
So if you are going to do PTaaS  correctly, you need to have a strong system in place. And this is where secure part comes along. Gav can you explain to our listeners? What does it mean when you say PTaaS powered by secure portal.
So secure portal, we actually had the idea back when I worked for a company called RandomStorm. And back then we had this word a portal that it did display the results from a variety of different technologies to do File Integrity, all in all that really good stuff. Or having a tab in that portal dedicated to pentesting was one of those classic wouldn't it be cool kind of discussions. And it was around the idea that clear put someone manage all their proposals, or the scoping information and get the actual test results and get it all in the same portal. But it just wasn't our our focus at the time. And fast forward to Pentest People as a staff that we had an opportunity to kind of make the idea a reality kind of open a bit of a blank canvas. So we built the polls from the ground up. And we're now on our second major revision. And secure poll now is expanded to support this Pentesting as a service approach. So as I touched on previously, you know, users can manage all of their pentests, and vulnerability scans and manual and automated assessments in a single port. And it regardless of what the assessment type is, I think that's really important because a lot of solutions out there, you might be able to manage vulnerability scans, you might be able to manage external infrastructure tests, but what about social engineering tests with our physical assessments or the firewall reviews? These all these these reports are very different data, very different structures. So one of the one of the weird parts of features is getting every time the tests get all those results together so you can you can manage everything And yeah, provides trending between all assessments as well. So you can quickly see what's new or what's been resolved or still unresolved. Again, that's such a powerful feature and such a huge improvement over these traditional PDF reports. And probabilities can be assigned to us as well, as you know, you know what, what Robin was saying about the task flow the workflow. So you can assign individual vulnerabilities to to individual users that allows you to track what has been resolved and actually actually measure progress and know that no, no, you're getting some I know that you remediation work is to actually getting done in this smallest functionality as well, which can be really powerful like the ability to leave comments and vulnerabilities so users can discuss remediation work within the portal and you also have that the audit trail as well. So the ability to manage all the results and all the radiation workers manual auto test is absolutely at the heart of the the PTS approach, about it's about continuing continual testing, as we mentioned, rather than performing that that snapshot in time is really a really powerful platform that we've been able to put a huge amount of work into, you know, really, really proud of it. And the feedback we've had from customers already has been extremely positive, you know, that love the system and love to be able to actually get the hands on the results and actually work with them and manage the knowledge being handed this 300 page report.

‍
So you need a system that can pin it all together. And this is done by secure parties. And I think what it's allowed us to do is digitise the experience digitised, I would add to that on the glue, if you like the bonds, PTaaS together. And ultimately, it's allowing our clients to distribute and manage remediation tasks centrally, can emerging ultimate result from manual into a single job queue that speeds up the whole process for our clients means they can react faster, that means they're going to remediate vulnerabilities quicker, and we're gonna reduce exposure faster. Do you both have any closing comments?

‍
Yes. So my vision gap is that we get everything into a single job queue where you merge manual results, with automated results into a single job queue that is duped that's got a tag that shows you whether it's been found by a consultant or via an automated tool, or both. And then potentially, with rules that allow those those findings to be automatically pushed into a third party ticketing system like JIRA and slack, or MS teams or whatever the whatever the client might be using. That's all i have to report.

‍
Absolutely. I think there's the that kind of global view that bird's eye view is really powerful. And it's tempting just to have a page that's a list of every vulnerability, and kind of where it's coming from. I think as you touched on there, it's like, is this all made is this manual, and then duplicating as well, that's, you know, that, again, that's really important. If we're doing vulnerability scans. And doing manual testing as well, we can't, we can't have the same vulnerability just describe a slightly different way. So it's going to be a real challenge for users. My standing job that I've set for years is I've never met an over resourced IT security team. It's very often one person or maybe two, if you're lucky. IT managers don't have the time to do everything that they need to do. So if we can, if if they can just sit back. And if we can run tests, scans, and push the information to it and a system that they're already using. There's massive productivity benefits. Absolutely, absolutely.

‍
I've been to many councils, and I'll speak with my primary contact, and I'll discuss about remediation, they're sending out to the team and they'd be like, it's just me. And then you know, they would have a maybe an Excel spreadsheet, that they will try to attempt to track it. I think it's that kind of person is going to get the most benefit out of a system like this. And it's kind of bring everything together and actually manage it properly and track it.

‍
Yeah, I know. You reached everything in the papers in the press, industry magazines. Actually, when you're at the coalface it's quite surprising how different reality is. It's not that long ago that people just do a report and do nothing with it. Literally nothing. Because they just didn't have the time because you've got two or three days in an IT team and the fixing printers. Then the reader doing the test because they got some compliance stuff and they can do it. They're not actually doing it for the right reasons. As much as they want to do it for the right reasons. They just don't have the resources to do it correctly.

‍
No, absolutely, I've worked with clients where we're just running joke every year like, please, please change your passwords for these. And they do not laugh and chuckle say I really should, I think times have changed, you know that the that kind of approach just isn't, it can't be It can't have that approach these days, there's too much going on, there are too many threats out there, you've got to get things secure. So given that's the case, if you want PTaaS that really comes into its own, if we can deliver, if you can adopt and deliver PTaaS correctly, there's huge efficiency benefits for the small teams, it means they can, you know, it was limited time they can focus on what's reasonable, and what's really important. But without we lost in the, in all the information, all the information that these reports and tests provide.

‍
Absolutely, I guess Donecker is the type of situation where you won't be on top of things, you have to have the continual testing, you're fully on board with the PTaaS approach. And, you know, you might might come into work one day, and then there is an issue and issue, you know, the day that it's been flagged, and then they can deal with it, they can look at it, they can investigate it, rather than his 1500 vulnerabilities to deal with. And he just don't know how to prioritise it. It's such a challenge.

‍
I think the other thing it gives PTaaS gives you as well is, you know, again, I've said this for a long time, if you do a really good job as security, nothing happens. It's very difficult to demonstrate return on investment for management. Whereas with repeats, actually fun, it can demonstrate that you've reduced risk. You can demonstrate activities and measure activities. And you can demonstrate that the business and illustrate that for this phrase, what's actually been going on in the background. So yeah, nothing's happened. But you know what, we fixed six from development vulnerabilities this year. And that's been a lot of work. And it's taken us this long. And we've reduced our age of vulnerability from 60 days down to 20. These are demonstrable benefits for a business that to help them get, you know, get a better understanding of the return on investment for a security setting, not just something that they're having to do for compliance or because of some supply chain pressure. If they've been asked to do it. It becomes more demonstrable, allows teams to measure the benefit of security.

‍
I think today's pen tests have got to be fast and efficient. As both Gav and Robin have mentioned, that's why PTaaS has stepped in to meet the modern needs. PTaaS gives users all required things one time clients can now become your recurring customers. Thank you both for your time today. It's been great having you both on today's episode. Join me next week on another tech bite. Follow Pentest People Spotify page for more.

‍