Table of Contents
Scaling security testing is a major challenge for DORA-regulated entities. Let’s explore concrete solutions for industrializing resilience testing without blowing the budget.
Nota Bene: This article is the second chapter of our guide to security testing for DORA-regulated entities, which we recommend you read from the beginning if you haven’t already.
Scaling cybersecurity is a central and necessary topic, all the more so for companies in the financial sector. The Digital Operational Resilience Act‘s (DORA) requirement for increased security testing raises a major question for security managers in large organizations.
How can so many tests — eclectic ones at that — be carried out on so many assets and perimeters, across so many entities, repeatedly or continuously throughout the year? How to streamline the exercise, automate processes and centralize results? And above all, how can we do all this without blowing up the security budget? The DORA Regulation has high ambitions, and it’s up to the CISOs of regulated structures to meet them.
You can continue reading this chapter published as an article on our blog, or download the full DORA-guide to security testing below in PDF format for easier reading.
DORA: A Guide to Security Testing for Regulated Entities
A 60-page compliance guide to walk security managers of DORA-regulated entities through the regulation's security testing obligations: the resilience testing program, and Threat-Led Penetration Testing (TLPT).
Different Ways of Scaling for Different Areas of Cybersecurity
First of all, it’s important to understand that cybersecurity is not a uniform, monotonous block, but a multifaceted field. Even if we stick to the simple dichotomy between defensive and offensive security — Blue Team and Red Team —, the subjects are numerous and heterogeneous: attack detection, threat analysis, code security, cloud security, security testing, etc.
So there isn’t just one way of scaling when it comes to resilience testing, but several, each with its own challenges and solutions. The corollary of the previous point is that, if strengthening global digital security cannot be considered in a single piece, it must be approached through the particular prism of each of its sub-domains.
At Yogosha, there’s one thing we’re particularly passionate about — it’s even our job — and that’s security testing. If there’s a topic we can perhaps contribute to, it’s this one. Therefore, we won’t be exploring the question of scaling cybersecurity as a whole, but rather through the very specific lens of security testing in the context of DORA, and more specifically offensive testing.
Read also: What is Offensive Security? An introductory guide to OffSec
Automated Tests Are Easier to Scale
The automated nature of some security tests advocated by Article 25 of DORA makes them more easily scalable, such as vulnerability scans and SAST tools (Static Application Security Testing). Here, security teams will face three main challenges:
- negotiating a budget sufficient to afford a range of tools, which are necessary but often expensive;
- understanding their organization’s attack surface and all its exposed assets, in order to avoid blind spots that might be potential entry points for malicious actors;
- properly calibrate the different automated tools, which again calls for in-depth knowledge of the organization’s attack surface, as well as technical skills and prior Cyber Threat Intelligence (CTI) work.
- It is worth noting that Article 13 of DORA sets out the obligation for regulated entities to monitor cyber threats, while Chapter VI encourages mutual assistance within the banking system, through the sharing of information on cyber threats between financial institutions. For more information, we suggest you read our DORA compliance guide, and more particularly the chapter dedicated to cyber threat monitoring.
Read also: What is Attack Surface Management? (tools, strategy, guidelines)
The Difficulty of Scaling Human Intervention
However, the challenge of scaling up is far more difficult when human intervention, often manual, comes into play:
- It is far more difficult to scale human expertise than automated solutions. Security professionals are a scarce resource, and all of them have only two hands and no desire to work around the clock.
- The costs of human intervention are recurrent. Unlike the acquisition of an automated solution, which can be expensive but remains one-off, the use of cybersecurity professionals means paying them every time, whether by salary or per-service billing. Moreover, the complexity of cybersecurity combined with the skills shortage means that these costs are usually high.
- The sidework — scoping meetings, documentation, vulnerability management… — is time-consuming and exponential to the number of tests carried out.
When it comes to scaling up, these issues are common to all human interventions in cybersecurity. As such, they also apply to penetration testing, as referred to in Article 25 of DORA.
Pentesting is probably the most common offensive test used by organizations throughout the world, and is therefore the most important to consider. After all, the whole point is to strengthen and develop the overall level of security, so it’s with the most widespread methods that we should approach the subject of scaling security testing.
Read also: Penetration testing, why and how to conduct a pentest
Penetration Testing: the Limits of Traditional Approaches
Let’s face it: it’s unthinkable to carry out pentests “the old-fashioned way” in the context of the Digital Operational Resilience Act. It’s not so much the tests themselves that pose a problem, but everything that surrounds them.
Organizing a penetration test with a traditional service provider, usually an IT firm, involves cumbersome and time-consuming processes. Scoping, follow-up and debriefing meetings are time-consuming, actual testing rarely begins for three to six weeks, and results are communicated via outdated channels — who said anything about PDF?
And we’re talking here about a single pentest, so imagine how difficult it would be to do this for all the tests induced by DORA, for all assets, across all entities… Not to mention the cost of traditional pentests, which alone would blow the entire security budget.
DORA: A Complete Guide to Compliance for the Financial Sector
A 50-page guide to walk CISOs, DPOs and legal departments through the EU regulation. No mumbo jumbo, only useful and actionable insights.
A Frequency No Longer Suited to Today’s Security Challenges
Worse still, the sporadic nature of traditional penetration tests means that they are no longer suited to the security challenges faced by modern organizations. These tests are useful for identifying vulnerabilities at a given point in time, but they are by their very nature inadequate for dealing with the fluctuating nature of cyberthreats.
The digital ecosystem is dynamic, with new vulnerabilities emerging every day, and malicious actors constantly renewing their approaches. Point-in-time testing offers only limited visibility, exposing companies to the potential risks that can arise between tests.
Read also: Why It’s Time to Move on to Continuous Security Testing
For organizations regulated by DORA, with growing security needs, the answer lies elsewhere than in traditional approaches. We need to rethink the structure of our tools and processes. We need to be able to respond to hundreds of projects in Agile mode, to numerous weekly deliveries, to business imperatives, to data sovereignty considerations…
We need an approach to penetration testing that is flexible, scalable, streamlined and, if possible, continuous. In other words, we need Pentest as a Service (PtaaS).
Scaling Through Pentest as a Service (Ptaas)
Pentest as a Service (PtaaS) is a solution for all organizations that need to carry out several dozen penetration tests a year, on multiple perimeters and entities. PtaaS as proposed by Yogosha differs from traditional approaches in two respects:
- Digitization and industrialization of pentesting, through a sovereign platform available as SaaS or Self-Hosted;
- Access to a unique skills pool, through a community of 800+ security researchers specialized in different types of assets and technologies.
1. Industrializing Pentesting Through Digitalization
Digitizing pentesting through a platform provides the flexibility and speed required to scaling up security testing, allowing for:
- launching a pentest in less than a week (compared to three to six weeks with an IT firm);
- live reporting of vulnerabilities on our platform, without having to wait until the end of the test, enabling rapid remediation of the most critical vulnerabilities, and seamless integration of security testing into CI/CD pipelines;
- direct communication with security researchers for more agile and efficient testing;
- the segregation of tests (and roles) across multiple entities and business units, thanks to a system of programs and workspaces;
- the traceability of test activities thanks to the built-in VPN;
- the simplification and centralization of vulnerability management before, during and after testing, thanks to our Vulnerability Operations Center (VOC) and its various analytical dashboards;
- the integration with your ticketing and remediation tools via API or connectors (Jira, Slack, ServiceNow…);
- the industrialization of pentesting activities, with comprehensive yet modular offerings and a single contractual framework.
2. Finding the Best Experts and Bridging the Skills Gap
Digitizing pentesting via a platform only addresses one of the challenges posed by scaling up security testing: industrializing tools and processes. But there is another major challenge for organizations: finding qualified experts to carry out the actual tests.
Recruit Security Professionals or Outsource Testing?
Organizations have two options when it comes to performing penetration tests.
1. In-house human resources. This option has many advantages, but unfortunately there is a worldwide shortage of cybersecurity talent. Forbes estimated that there were 3.5 million vacancies in the sector at the beginning of 2023, an increase of 350% in less than 10 years. Talent is therefore scarce and expensive, and not all entities can afford to have a decent team of pentesters.
2. Turn to a specialized service provider. This is the solution favored by many companies, who choose to outsource security testing to a service provider, usually an auditing firm. But a firm’s expertise is always limited to that of its own employees, and their numbers. Even the most talented pentester won’t be familiar with all types of assets and technologies — it’s impossible. When choosing the service provider who will carry out the tests, it is therefore essential to ensure that they have the in-house skills to match the specificities of the scope to be tested.
To address these two difficulties — recruiting qualified professionals, or making sure a service provider has the in-house skills you need — we offer a unique response: the Yogosha Strike Force.
The Yogosha Strike Force, a Community of 800+ Screened Experts
The Yogosha Strike Force (YSF) is a private, selective community of over 800 international security researchers:
- Specialized in finding the most critical vulnerabilities by simulating sophisticated hacker attacks.
- Experts in multiple asset types — Web and Mobile Apps, IOT, Cloud, Networks, APIs, Infrastructure…
- Holders of recognized cybersecurity certifications — OSCP, OSEP, OSWE, OSEE, GXPN, GCPN, eWPTXv2, PNPT, CISSP…
We select only the most talented researchers: only 10% of applicants are accepted, after passing technical and redactional exams. Identity and background checks are also carried out.
Through the Yogosha Strike Force, organizations under the scope of DORA have access to:
- a large number of carefully selected international security experts;
- an unrivaled range of skills to best address all types of assets and technologies.
“Through Yogosha, we’ve managed to find very talented people.”
— Éric Vautier, CISO, Groupe ADP (Paris’ Airports)
Towards Better Management of In-House Pentests
It goes without saying that calling in the experts from the Yogosha Strike Force is optional, especially if you already have competent professionals in-house. In this case, the challenge is not so much to find the right profiles, but rather to efficiently organize large numbers of in-house resilience tests, and then effectively manage their fallout — again, it’s about scaling up. Here, too, the Yogosha platform has a role to play.
Yogosha as a Pentest Management Platform
Organizations with their own pentesters can invite them to join our platform, the Vulnerability Operations Center (VOC), to digitalize and streamline penetration testing.
Pentests are then organized by projects and entities, with role and access management, and reports are centralized in a single tool. Exchanges with pentesters can take place directly within the reports, while holistic views enable rapid assessment of risk exposure at micro (per perimeter) or macro (per entity) level. Vulnerability management is facilitated, from triage to remediation, thanks to connectors and webhooks with different tools — Jira, Slack, ServiceNow, etc.
The Yogosha platform offers another interesting advantage for the most sensitive financial entities: it’s available as SaaS, but also as a self-hosted solution for deployment on a private cloud or on premise. Which brings us straight to the next point.
Resilience Testing and Data Governance, a Major Priority
The proper management of data is a major challenge for financial entities. The ICT risk management framework introduced by DORA (Article 6) requires organizations to protect all their assets, including “information assets” — i.e., data. Furthermore, it goes without saying that the responsibility of financial entities doesn’t end as soon as a supplier enters the picture — the DORA text is very clear on this point.
Resilience testing involves a certain amount of sensitive data, such as information on potentially exploitable vulnerabilities. It is therefore essential to choose a reliable and solid test provider. Here, it’s up to regulated organizations to investigate the quality of each provider.
A Platform Available as SaaS or Self-Hosted
Our platform can be deployed in different ways to meet the security requirements of all organizations, even the most sensitive.
The Yogosha platform is available :
- SaaS: a turnkey solution, hosted via 3DS Outscale and its SecNumCloud-certified sovereign cloud (the highest French security standard, established by the French CERT). Data is hosted on French soil.
- Self-Hosted: a solution designed for organizations with the most stringent security requirements. You’re free to host the Yogosha platform wherever you like — private cloud, on premise — to retain total control over your data and the execution context.
In both cases, the intrinsic robustness of our product is at the heart of our concerns. We continually secure our assets through a DevSecOps pipeline, OWASP guidelines, recurrent penetration testing and an ongoing bug bounty program. We are also in the process of obtaining ISO 27001 certification for our platform.
Reducing the Number of Test Providers to Simplify Third-Party Management
DORA allows financial entities to rely on multiple providers, “at group or entity level”, as part of their digital operational resilience strategy. However, this will require highlighting “the key dependencies on ICT third-party service providers, and explaining the rationale behind the procurement mix of ICT third-party service providers” [DORA, Article 6(9)]. In other words, you have to draw up a fully detailed and documented third-party management policy.
It is therefore in the interest of financial entities not to multiply their service providers more than necessary, in order to avoid unnecessarily tedious third-party management. Not to mention the fact that the multiplication of suppliers also implies an increase in management and communication tasks, as well as data security issues.
By industrializing resilience testing with Yogosha, you de facto limit the number of providers involved to a single one — your legal and GRC teams will thank you.
Reconciling Increased Testing With Security Budgets
The multiplication of security tests also raises a number of financial issues. A traditional penetration test is expensive, costing between $10k and $35k according to Blaze. And we’re talking about a single test here, so imagine the bill for entities affected by DORA, which are required to carry out resilience tests at least once a year for every system or application that supports critical or important functions. It’s high enough to make any CISO or CFO shudder…
Scaling up security testing therefore represents a real economic challenge for organizations. How do you increase the number of security tests without blowing your cybersecurity budget? Here again, we’re rooting for our bread and butter with Pentest as a Service (PtaaS).
PtaaS: up to 96% higher ROI than traditional pentesting
From a financial point of view, PtaaS is generally more attractive than the traditional approach. Pricing is generally more attractive for companies, but it’s the disappearance of many hidden costs that makes all the difference — time-consuming triage, tedious vulnerability management, friction with Agile methodologies, and so on.
Since we’re not impartial on this matter, we refer you instead to an article by Tech Beacon, 4 hidden costs of pentesting. In it, we learn that the ROI of Pentest as a Service can be up to 96% higher than its historical counterpart.
If you’re affected by the increase in DORA-induced security tests, and their costs, feel free to contact us for a quote or a demo of our Pentest as a Service (PtaaS) solution.
Furthermore, it’s important to bear in mind that the resilience testing program is only the first part of the DORA-induced testing obligations. The second, even more demanding part is covered in the third chapter of this guide:
