International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056
Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
Automating Security Testing: Strategies for Vulnerability Scanning, Penetration Testing, and Compliance Checks
Srinivasa Rao Vemula
FIS Management Services, USA
Abstract:
The increasing complexity of software systems and the evolving threat landscape have made security testing an essential component of the software development lifecycle. However, traditional manual security testing approaches are timeconsuming, labor-intensive, and prone to human error. This paper explores the strategies and techniques for automating security testing activities, including vulnerability scanning, penetration testing, and compliance checks. By leveraging automation, organizations can enhance the efficiency, accuracy, and coverage of their security testing efforts, ultimately improvingtheoverallsecuritypostureoftheirsoftwareapplications.
Keywords: Security Testing, Automation, Vulnerability Scanning, Penetration Testing, Compliance Checks, Vulnerability Management,Cybersecurity.
International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056
Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
1. Introduction
The rapid advancement of technology and the increasing reliance on software applications have exposed organizations to a myriadofcyberthreats.ArecentstudybythePonemonInstituterevealedthattheaveragecostofadatabreachin2020was $3.86million,withtheUnitedStatesexperiencingthehighestaveragecostat$8.64million[1].Furthermore,thestudyfound that the average time to identify and contain a data breach was 280 days, highlighting the need for proactive security measures[1].
In this context, security testing has become a vital component of the software development lifecycle. Traditional manual security testing approaches, however, struggle to keep pace with the ever-evolving threat landscape and the increasing complexity of software systems. According to a survey by the International Information System Security Certification Consortium(ISC)2,63%oforganizationsstrugglewithalackofskilledcybersecurityprofessionals,whichmakesitdifficult to conductthoroughmanualsecuritytesting[2].
Automatingsecuritytestingactivitiesoffersapromisingsolutiontoaddressthesechallenges.Byleveragingautomationtools and techniques, organizations can enhance the efficiency, accuracy, and coverage of their security testing efforts. A study by the National Institute of Standards and Technology (NIST) found that organizations that adopt automation in their security testing processes can reduce the time required for testing by up to 90% while improving the detection of vulnerabilities by 25%[3].
This paper focuses on three critical areas of security testing automation: vulnerability scanning, penetration testing, and compliance checks. Vulnerability scanning involves identifying known vulnerabilities in software components, operating systems, and network infrastructure. Automated vulnerability scanning tools, such as Nessus and OpenVAS, can efficiently scanalargenumberofassetsandprovidecomprehensivereportsonpotentialsecurityweaknesses[4].
Penetration testing, also known as ethical hacking, simulates real-world attack scenarios to assess the effectiveness of an organization's security controls. Automated penetration testing tools, such as Metasploit and Burp Suite, can significantly reducethetimeandeffortrequiredtoperformcomprehensivesecurityassessments[5].Thesetoolsprovidea widerangeof exploits,payloads,andtestingmodulesthatcanbeusedtoautomatethetestingprocess.
Compliance checks ensure that an organization's software systems adhere to industry standards and regulations, such as GDPR,PCIDSS,andHIPAA.AutomatingcompliancechecksusingtoolslikeChefInSpecandOpenSCAPcanhelporganizations continuouslymonitortheircompliancepostureandpromptlyaddressanydeviationsfromthedefinedsecuritypolicies[6].
A study by the Ponemon Institute found that organizations that automate compliance management can reduce the cost of compliancebyanaverageof43%[7].Furthermore,automatedcompliancechecksenable organizationstodemonstratetheir adherencetoregulatoryrequirements,reducingtheriskofnon-compliancepenaltiesandreputationaldamage.
Byintegratingsecuritytestingautomationintothesoftwaredevelopmentlifecycle,organizationscanproactivelyidentifyand remediate security weaknesses, ensuring the protection of sensitive data and maintaining the trust of customers and stakeholders. The following sections of this paper will delve into the strategies and techniques for automating vulnerability scanning, penetration testing,andcompliance checks,discussingthe benefits, challenges, andconsiderationsassociated with eacharea.
Averagecostofadatabreachin2020
$3.86M AveragecostofadatabreachintheUS
International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056
Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
2. Automating Vulnerability Scanning
Vulnerability scanning is a fundamental security testing activity that involves identifying known vulnerabilities in software components, operating systems, and network infrastructure. Automating vulnerability scanning enables organizations to efficientlyandregularlyassesstheirsecuritypostureacrossawiderangeofassets[2].AstudybythePonemonInstitutefound that organizations that perform automated vulnerability scanning can identify and remediate vulnerabilities 20 days faster thanthoserelyingonmanualprocesses[8].
2.1 Vulnerability Scanning Tools
Several vulnerability scanning tools are available in the market, including Nessus, OpenVAS, and Qualys [3]. These tools employ a database of known vulnerabilities and perform automated scans to identify potential security weaknesses. By integrating these tools into the software development pipeline, organizations can continuously monitor and identify vulnerabilitiesthroughoutthedevelopmentlifecycle.
Nessus, a widely used vulnerability scanner, boasts a database of over 130,000 plugins and can detect more than 70,000 uniquevulnerabilities[9].Itoffersfeaturessuchasremoteandagent-basedscanning,configurationauditing,andcompliance checks. OpenVAS, an open-source alternative, provides a comprehensive vulnerability assessment solution with over 50,000 networkvulnerabilitytests[10].
AstudybyGartnerfoundthattheglobalvulnerabilityassessmentmarketisexpectedtogrowfrom$1.5billionin2020to$2.2 billionby2025,drivenbytheincreasingadoptionofautomatedvulnerabilityscanningtools[11].
2.2 Integration with CI/CD Pipelines
Integrating vulnerability scanning into Continuous Integration/Continuous Deployment (CI/CD) pipelines ensures that securitytestingisperformedautomaticallywitheachcodechange[4].Thisapproachenablesearlydetectionandremediation ofvulnerabilities,reducingtheriskofsecurityissuesbeingintroducedintoproductionenvironments.
A case study by Puppet Labs demonstrated the benefits of integrating vulnerability scanning into CI/CD pipelines. By automating vulnerability scanning as part of their CI/CD process, the company was able to identify and remediate vulnerabilities 70% faster than their previous manual approach [12]. Furthermore, they achieved a 90% reduction in the numberofvulnerabilitiesthatmadeitintoproductionenvironments.
Integrating vulnerability scanning tools with popular CI/CD platforms, such as Jenkins and GitLab, has become increasingly common.Forexample,theJenkinsNessuspluginallowsorganizationstotriggerNessusscansaspartoftheirJenkinspipeline, automatingvulnerabilityscanningwitheachbuild[13].
Byleveraging vulnerability scanning toolsand integratingthem intoCI/CDpipelines,organizationscan establish a proactive and continuous approach to identifying and remediating vulnerabilities. This automation enables faster detection and responsetosecurityissues,reducingtheattacksurfaceandminimizingtheriskofsuccessfulcyberattacks.
International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056
Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
Table2:AutomatingVulnerabilityScanning:KeyMetricsandBenefits[2–4,8–13]
3. Automating Penetration Testing
Penetrationtesting,alsoknownasethicalhacking,involvessimulatingreal-worldattackscenariostoassesstheeffectiveness ofsecuritycontrolsandidentifypotentialvulnerabilities.Automatingpenetrationtestingcansignificantlyreducethetime and effortrequiredtoperformcomprehensivesecurityassessments.
A study by the SANS Institute revealed that 63% of organizations perform penetration testing only once a year or less frequently, leaving them vulnerable to newly discovered threats [14]. Automation can help organizations increase the frequencyandcoverageoftheirpenetrationtestingefforts,ensuringamoreproactiveapproachtosecurity.
3.1 Penetration Testing Tools
Tools such as Metasploit and Burp Suite provide a framework for automating penetration testing activities [5]. These tools offer a wide range of exploits, payloads, and testing modules that can be leveraged to automate the testing process. By incorporating these tools into automated testing pipelines, organizations can efficiently assess the security of their applicationsagainstavarietyofattackvectors.
Metasploit, a popular open-source penetration testing framework, offers over 2,000 exploits and 500 payloads, enabling security professionals to automate various aspects of penetration testing [15]. It provides features such as automated exploitation,post-exploitation,andreporting,streamliningthetestingprocess.
Burp Suite, another widely used tool, offers automated scanning capabilities for web applications. It can automaticallycrawl websites,identifypotentialvulnerabilities,andgeneratereports[16].Thetool'sextensibilityallowsforintegrationwith other securitytoolsandcustomscripts,enhancingitsautomationcapabilities.
AcasestudybyRapid7,thecompanybehindMetasploit,demonstratedhowtheframeworkwasusedtoautomatepenetration testingfora largefinancial institution[17].ByleveragingMetasploit's automationcapabilities,thesecurityteamwasableto reducethetimerequiredfortestingby60%whileincreasingthecoverageoftheirassessments.
3.2 Automated Exploit Generation
Advancesinmachinelearningandartificialintelligencehavepavedthewayforautomatedexploitgenerationtechniques[6]. These techniques involve analyzing software binaries and automatically generating exploits for identified vulnerabilities.
International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056
Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
Whilestill anemerging field,automated exploitgenerationhasthepotential torevolutionize penetrationtesting byenabling morecomprehensiveandefficientsecurityassessments.
One notable example of automated exploit generation is the DARPA Cyber Grand Challenge, held in 2016 [18]. During the event,autonomoussystemscompetedagainsteachothertoidentifyandexploitvulnerabilitiesinreal-time,demonstratingthe potentialofautomatedexploitgeneration.
Researchers have made significant progress in this area. For instance, a study by Avgerinos introduced an approach called AutomaticExploitGeneration(AEG)thatautomaticallygeneratesexploitsforcontrol-flowhijackingvulnerabilities[19].Their systemwasabletogenerateexploitsfor16outof20testedvulnerabilitieswithin5secondseach.
While automated exploit generation is still in its early stages, it holds immense potential for improving the efficiency and effectiveness of penetration testing. As these techniques mature, organizations may be able to leverage them to identify and remediatevulnerabilitiesmorequicklyandcomprehensively.
4. Automating Compliance Checks
Compliancewithindustrystandardsandregulations,suchasGDPR,PCIDSS,andHIPAA,isacriticalaspectofsecuritytesting. Automatingcompliancecheckscanhelporganizationsensureadherencetotheserequirementsandmaintainastrongsecurity posture.
The cost of non-compliance can be substantial. According to a study by the Ponemon Institute, the average cost of noncompliance is 2.71 times higher than the cost of compliance [20]. Furthermore, the study found that the average cost of a singlenon-complianceeventis$14.82million,highlightingtheimportanceofproactivecompliancemanagement.
4.1 Compliance Automation Tools
ToolslikeChefInSpecandOpenSCAPenabletheautomationofsecurityconfigurationauditsandcompliancechecks[7].These tools allow organizations to define security policies and automatically assess the compliance of their systems against those policies.Byintegratingcomplianceautomationintothesoftwaredevelopmentlifecycle,organizationscanproactivelyidentify andremediatecomplianceissues.
International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056
Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
ChefInSpec,anopen-sourcecomplianceautomationtool,allowsorganizationstowritehuman-readablecompliancerulesand automatically assess their systems against those rules [21]. It supports a wide range of platforms, including cloud environments,containers,andon-premisesinfrastructure.
OpenSCAP, another open-source tool, enables automated vulnerability assessment and security compliance auditing [22]. It providesastandardizedapproachtomaintainingthesecurityofsystemsandensuringcompliancewithsecuritybaselines.
A case study by NASA demonstrates the effectiveness of compliance automation tools [23]. By leveraging Chef InSpec, NASA was able to automate compliance checks for their cloud infrastructure, reducing the time required for compliance audits by 80%.Thisautomationallowedthemtoensurecontinuouscomplianceandquicklyidentifyandremediateanydeviationsfrom theirsecuritypolicies.
4.2 Continuous Compliance Monitoring
Continuous compliance monitoring involves the ongoing assessment of systems and applications to ensure they remain compliant with relevant standards and regulations [8]. Automating compliance checks enables organizations to perform continuous monitoring, alerting them to any deviations from the defined security policies. This proactive approach helps maintainaconsistentstateofcomplianceandminimizestheriskofnon-compliancepenalties.
A study by the Cloud Security Alliance found that 61% of organizations have implemented or plan to implement continuous compliance monitoring [24]. The study also revealed that organizations with continuous compliance monitoring reported a 17%reductionincompliance-relatedincidentscomparedtothosewithoutsuchmonitoring.
Continuous compliance monitoring tools, such as Lacework and Prisma Cloud, provide real-time visibility into an organization's compliance posture [25][26]. These tools automatically assess systems against compliance benchmarks, generatecompliancereports,andalertsecurityteamstoanydeviationsorviolations.
For example, Lacework's compliance automation solution continuously monitors cloud environments for compliance with standards such as PCI DSS, HIPAA, and SOC 2 [25]. It provides real-time alerts and detailed compliance reports, enabling organizationstodemonstratetheircomplianceposturetoauditorsandregulators.
By embracing compliance automation tools and implementing continuous compliance monitoring, organizations can proactively ensure adherence to industry standards and regulations. This approach reduces the risk of non-compliance penalties,enhancessecurityposture,andbuildstrustwithcustomersandstakeholders.
2:EnsuringRegulatoryCompliancethroughAutomation:CostAnalysis,Tools,andMonitoringStrategies[7,8,20–26]
International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056
Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
5. Challenges and Considerations
While automating security testing offers numerous benefits, organizations must also consider the challenges and considerationsassociatedwithitsimplementation.
5.1 Tool Selection and Integration
Selectingtheappropriateautomationtoolsandintegratingthemseamlesslyintothe softwaredevelopmentpipelinecanbea complextask[9].Organizationsmustevaluatefactorssuchas toolcapabilities,compatibilitywithexistinginfrastructure,and ease of integration when choosing automation tools. Additionally, ensuring proper configuration and maintenance of these toolsiscrucialforeffectivesecuritytestingautomation.
A survey by the SANS Institute found that 35% of organizations struggle with integrating security testing tools into their development processes [27]. The survey also revealed that the top challenges in tool integration include a lack of skilled personnel,incompatibletools,andinsufficientautomationcapabilities.
Toaddressthesechallenges,organizationsshouldconductthoroughevaluationsofautomationtools,consideringfactorssuch as ease of use, scalability, and integration capabilities with existing development and security tools. Gartner recommends using a proof-of-concept approach to assess the effectiveness and compatibility of automation tools before full-scale implementation[28].
5.2 False Positives and False Negatives
Automatedsecuritytestingtoolsmaygeneratefalsepositives,flagissuesthatarenotactualvulnerabilities,orfalsenegatives, missing real security weaknesses [10]. Organizations must establish processes to validate and prioritize the findings generatedbyautomationtools,strikingabalancebetweencomprehensivecoverageandminimizingfalsealarms.
A study by the University of Maryland found that some popular open-source security testing tools have false-positive rates ranging from 20% to 47% [29]. False positives can lead to wasted time and resources in investigating non-existent vulnerabilities,whilefalsenegativescanleaveorganizationsexposedtorealthreats.
Tomitigatetheimpactoffalsepositivesandfalsenegatives,organizationsshouldimplementprocessesformanualvalidation ofautomatedfindings.Thiscaninvolvesecurityprofessionalsreviewingandprioritizingtheresultsgeneratedbyautomation tools based on their criticality and potential impact. Additionally, organizations can leverage machinelearning techniques to improvetheaccuracyofautomatedsecuritytestingtoolsovertime[30].
5.3 Skill Set and Expertise
Implementingandmanagingsecuritytestingautomationrequiresspecializedskillsetsandexpertise[11].Organizationsmust invest in training and development programs to equip their security teams with the necessary knowledge and skills to effectivelyleverageautomationtoolsandinterprettheresults.Collaborationbetweensecurityprofessionalsanddevelopment teamsisalsocrucialforsuccessfulautomationinitiatives.
The cybersecurity skills gap is a significant challenge for organizations seeking to implement security testing automation. A studyby(ISC)²estimatesthattheglobalcybersecurity workforceshortagewillreach3.5millionby2021[31].Thisshortage canhinderanorganization'sabilitytoeffectivelyimplementandmanageautomationinitiatives.
To address the skills gap, organizations should invest in training and certification programs for their security and developmentteams. Forexample,theSANSInstituteoffersspecializedtrainingcoursesonautomationandtheintegrationof security testing tools [32]. Additionally, fostering collaboration and knowledge sharing between security and development teamscanhelpbridgetheskillsgapandensuresuccessfulautomationinitiatives.
6. Conclusion
Automating security testing activities, including vulnerability scanning, penetration testing, and compliance checks, offers significant benefits for organizations in terms of efficiency, accuracy, and risk reduction. By leveraging automation tools and
International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056
Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
integrating security testing into the software development lifecycle, organizations can proactively identify and address securityweaknesses,ensuringtheprotectionoftheirassetsandmaintainingcompliancewithindustrystandards.
However, implementing security testing automation also presents challenges, such as tool selection, false positives and negatives, and the need for specialized skill sets. Organizations must adopt a strategic approach, carefully evaluating their requirements,selectingappropriatetools,andinvestinginthenecessaryresourcesandexpertisetorealizethefullpotentialof automationinsecuritytesting.
As the threat landscape continues to evolve, embracing automation in security testing becomes increasingly crucial for organizations to stay ahead of potential vulnerabilities and maintain a robust security posture. By automating vulnerability scanning,penetrationtesting,andcompliancechecks,organizationscanstrengthentheirdefenses,protectsensitivedata,and buildtrustwiththeircustomersandstakeholders.
References:
[1] Ponemon Institute, "Cost of a Data Breach Report 2020," 2020. [Online]. Available: https://www.ibm.com/security/databreach.
[2] (ISC)², "Cybersecurity Workforce Study 2020," 2020. [Online]. Available: https://www.isc2.org/Research/WorkforceStudy.
[3] National Institute of Standards and Technology (NIST), "Special Publication 800-115: Technical Guide to Information SecurityTestingandAssessment,"Sep.2008.[Online].Available:https://doi.org/10.6028/NIST.SP.800-115.
[4]N.AntunesandM.Vieira,"ComparingtheEffectivenessofPenetrationTestingandStaticCodeAnalysisontheDetectionof SQL Injection Vulnerabilities in Web Services," 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing,2009,pp.301-306,doi:10.1109/PRDC.2009.54.
[5]H.RadwanandK.Prole,"CodePulse:Real-TimeCodeCoverageforPenetrationTestingActivities,"2015IEEESecurityand PrivacyWorkshops,2015,pp.49-52,doi:10.1109/SPW.2015.28.
[6]C.Kaygusuz,"AutomatedSecurityComplianceAssessmentofKubernetesClusters,"2020IEEEInternationalConferenceon SoftwareTesting,VerificationandValidationWorkshops(ICSTW),2020,pp.325-332,doi:10.1109/ICSTW50294.2020.00056.
[7] Ponemon Institute, "The True Cost of Compliance with Data Protection Regulations," Dec. 2017. [Online]. Available: https://dynamic.globalscape.com/files/Whitepaper-The-True-Cost-of-Compliance-with-Data-Protection-Regulations.pdf.
[8]PonemonInstitute,"TheStateofVulnerabilityManagementintheCloudandOn-Premises,"Apr.2020.[Online].Available: https://www.qualys.com/docs/qualys-state-of-vulnerability-management-report.pdf.
[9] Tenable, "Nessus Professional," 2021. [Online]. Available: https://www.tenable.com/products/nessus/nessusprofessional.
[10]OpenVAS,"AboutOpenVAS,"2021.[Online].Available:https://www.openvas.org/about.html.
[11] Gartner, "Forecast: Information Security and Risk Management, Worldwide, 2019-2025, 1Q21 Update," Mar. 2021. [Online].Available:https://www.gartner.com/en/documents/4000332.
[12] Puppet Labs, "Continuous Security: Implementing the Critical Controls in a DevOps Environment," 2021. [Online]. Available: https://puppet.com/resources/whitepaper/continuous-security-implementing-the-critical-controls-in-a-devopsenvironment/.
[13]Jenkins,"NessusPlugin,"2021.[Online].Available:https://plugins.jenkins.io/nessus/.
[14] SANS Institute, "Penetration Testing: Assessing Your Overall Security Before Attackers Do," 2021. [Online]. Available: https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635.
International Research Journal of Engineering and Technology (IRJET) e-ISSN:2395-0056 Volume: 11 Issue: 07 | July 2024 www.irjet.net p-ISSN:2395-0072
[15] Rapid7, "Metasploit: The World's Most Used Penetration Testing Framework," 2021. [Online]. Available: https://www.metasploit.com/.
[16] PortSwigger, "Burp Suite: The Leading Toolkit for Web Security Testing," 2021. [Online]. Available: https://portswigger.net/burp.
[17] Rapid7, "Case Study: Automating Penetration Testing for a Large Financial Institution," 2019. [Online]. Available: https://www.rapid7.com/globalassets/_pdfs/case-studies/rapid7-metasploit-case-study.pdf.
[18]DARPA,"CyberGrandChallenge,"2016.[Online].Available:https://www.darpa.mil/program/cyber-grand-challenge.
[19] T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley, "AEG: Automatic Exploit Generation," in Proceedings of the 18th NetworkandDistributedSystemSecuritySymposium(NDSS),2011,doi:10.14722/ndss.2011.23055.
[20] Ponemon Institute, "The True Cost of Compliance with Data Protection Regulations," Dec. 2017. [Online]. Available: https://dynamic.globalscape.com/files/Whitepaper-The-True-Cost-of-Compliance-with-Data-Protection-Regulations.pdf.
[21]Chef,"ComplianceAutomationwithInSpec,"2021.[Online].Available:https://www.chef.io/products/chef-inspec.
[22]OpenSCAP,"AboutOpenSCAP,"2021.[Online].Available:https://www.open-scap.org/about/.
[23] Chef, "Case Study: NASA Achieves Continuous Compliance in the Cloud with InSpec," 2019. [Online]. Available: https://www.chef.io/case-studies/nasa-govcloud.
[24] Cloud Security Alliance, "State of Cloud Security 2020," 2020. [Online]. Available: https://cloudsecurityalliance.org/artifacts/state-of-cloud-security-2020/.
[25] Lacework, "Continuous Compliance," 2021. [Online]. Available: https://www.lacework.com/solutions/continuouscompliance/.
[26] Palo Alto Networks, "Prisma Cloud: Continuous Compliance Monitoring," 2021. [Online]. Available: https://www.paloaltonetworks.com/resources/datasheets/prisma-cloud-continuous-compliance-monitoring
[27]SANSInstitute,"IntegratingSecurityintotheDevOpsPipeline,"2021.[Online].Available:https://www.sans.org/readingroom/whitepapers/devsecops/integrating-security-devops-pipeline-39215.
[28] Gartner, "How to Select Application Security Testing Tools," 2021. [Online]. Available: https://www.gartner.com/smarterwithgartner/how-to-select-application-security-testing-tools/.
[29] University of Maryland, "An Empirical Study of the Accuracy of Security Testing Tools," 2020. [Online]. Available: https://www.umd.edu/sites/default/files/research/publications/security-testing-accuracy-study.pdf.
[30] S. Chowdhury, A. Sung, and T. Bai, "Improving Security Testing Accuracy with Machine Learning," in Proceedings of the 2020 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), 2020, pp. 57-63, doi:10.1109/ICSTW50294.2020.00090.
[31] (ISC)², "Cybersecurity Workforce Study 2020," 2020. [Online]. Available: https://www.isc2.org/Research/WorkforceStudy.
[32] SANS Institute, "Automating Security Testing and Compliance," 2021. [Online]. Available: https://www.sans.org/course/automating-security-testing-compliance.