Penetration testing

What to Ask When Buying a Premium Penetration Test for Your Business?

What to Ask When Buying a Premium Penetration Test (PT) for Your Business?

Finding a good and trusted penetration testing vendor is not an easy task, no matter what your needs may be. In this short article, we will go over the main aspects you should review when shopping for a penetration testing vendor.

Before we start, it’s important to understand that there is no one-size-fits-all solution. Different businesses require different vendors. It’s up to you to find the firm best suited for your needs. 

Do I Need Premium Penetration Testing for my Business?

This is a decision that you need to make by yourself, rather than with the vendors you are speaking with. ‘Penetration testing’ is a very broad term and could be used to describe many possible security audits on the market.

The difference between light penetration testing and a premium one is mainly in the amount of time and expertise invested in testing your security. Ultimately this translates to the compensation you will require to make.

The four main factors to take into account when deciding if quality penetration testing is needed for you are:

  • Preventing security breaches – if a security breach is something that can devastate your business, harm your reputation or prevent clients from working with you in the future, it is highly recommended to invest in higher-quality penetration testing in order to reduce this risk to a minimum. 
  • Enterprise Clients- When closing new deals with clients, especially corporations, some might require you to present a penetration testing report to make sure your services are secure and won’t compromise their data. If the penetration testing is not up to their standards they may reject it, or request you to perform a more comprehensive one. This could be a major deal-breaker for many businesses.
  • Sensitive Data – If your business holds sensitive data like personal information or financial transaction records, you may be at a higher risk of being targeted by malicious actors. Moreover, in case of a breach, you may be forced by law to pay damages to the clients whose information has been compromised. A higher-quality penetration testing is thus warranted to prevent future losses.

Is This Vendor Experienced in Testing My Technology?

As there is a growing number of technologies used in the market, you need to make sure the vendor you choose has experience with the specific technology you are using.

The two main categories for this are application and infrastructure penetration testing. 

Application penetration testing can be divided based on the different platforms applications target, such as Web, Android/IOS, Windows/Linux/Mac. A penetration testing vendor who has experience with Android, for instance, may or may not be knowledgeable in web apps. You should therefore ask prospective vendors about their experience before committing.

Infrastructure penetration testing can be divided into different categories. Back-end infrastructure testing for a multinational company with hundreds of thousands of clients is a completely different beast than infrastructure testing for a small start-up. A Penetration testing vendor not experienced with large-scale operations is probably unsuitable for a larger company. The technology used in your back-end is also important when finding a vendor. You should probe your prospective vendors for what technologies they worked with before.

In general, penetration testing can be either blackbox or whitebox. Blackbox penetration testing means that the testers do not investigate the internals of the system (source code etc.), simulating a real attack. Nevertheless, there are some downsides to this method. Firstly, real attackers are not limited by time like testers, and secondly, testers might miss important vulnerabilities. Whitebox testing is the exact opposite, testers are exposed to system internals. This frequently involves a thorough code review, which requires more time and effort from the testers. Thus, in turn, making the test more expensive.

Vendors usually specialize in either blackbox or whitebox PTs, so reviewing their experience is important. A vendor knowledgeable in blackbox testing, for example, may not be experienced in methodical code review practices.

In many cases, combining the two approaches will achieve the best results. The name of this combined test is graybox testing. Since there is no precise definition for the test, it will vary between different tests and companies. Communicating your deadlines, technical requirements, and objectives with your vendor will help to define the graybox testing (giving VPN access, admin accounts, endpoints list, etc.). Additionally, effective communication will make the testing process effective in terms of time and price.

Who Will Perform the Testing? 

The most important, yet almost always the most neglected factor in determining the PT quality is the tester or testers who will perform the work. 

When committing for a PT, make sure you know the name and qualifications of the people who will perform the testing. Think of the following questions to ask your vendor about the testers:

  • Do they have more than 2 years of experience in the field? 
  • Are they working directly for the vendor or are they subcontractors? The practice of delegating work to subcontractors is very common for large security vendors. This practice may adversely affect the quality of the service. Additionally, the delegation of work to subcontractors can also harm accountability, as subcontractors are usually left anonymous.
  • Are the testers dedicated to my project or doing several projects simultaneously?

Ask to review their previous work. Did they receive any CVEs (publicly disclosed vulnerabilities) for past findings? Did they work with a similar tech stack to mine?

What Methodology Will Be Used for My Test?

A respected penetration vendor will use a well-defined methodology and framework as quality assurances. There are many competing standards – here is a brief overview:

  • OWASP Web Security Testing Guide (WSTG) – Used to be called OTG (OWASP Testing Guide). This standard is the best guide for web and mobile apps. This is because it is most up to date, and most technically informative about the tests that are needed to be done while performing a penetration test. This standard is currently the industry de-facto standard for PT and is commonly a requirement of corporations from their vendors.
  • Penetration Testing Execution Standard (PTES) – a high-level standard that covers the general methodology that pen-testers should follow. The standard itself does not get into the technical details of pen-testing (i.e. what to test exactly) but has a supplementary guideline with very extensive information. This standard is better for infrastructure penetration tests. 
  • NIST Cybersecurity Framework (CST) – This standard by the US National Institute of Standards and Technology (NIST) is best suited to audit the overall Cybersecurity status of an organization. However, it is not specifically crafted for penetration testing. NIST also released a guide (NIST 800-115) covering the technical aspects of security testing.
  • Building Security in Maturity Model (BSIMM) – This framework was created using a different approach: originally, the authors reviewed the security practices of 9 successful software houses and laid them out in a single model. The most recent release, BSIMM12, was based on the practices of 128 different organizations. This framework is similar to NIST’s as it covers all kinds of activities organizations should take to enhance their security, rather than focusing only on penetration testing.
  • Information System Security Assessment Framework (ISSAF) – is an outdated standard, its latest version (0.2.1B) was published in May 2006, and as such, much of ISSAF’s technical information is not particularly relevant.

While purchasing a premium penetration test or any security audit, make sure the correct methodology is used. If your PT vendor does not use any methodology or uses an outdated one this can lead to a low standard test, which often will be rejected by your clients.

Is the Test Manual or Automatic?

Automatic testing is good for light penetration testing and will provide initial cover. They are cheap to perform and will therefore lower the overall cost of the test. Manual penetration testing is better for finding “zero-days”, unknown vulnerabilities in your setup that could drastically affect your business.

A high-quality PT should be a mixture of automatic scripts and manual research done by an expert tester. 

Automatic scripts are great to find known, 1-day vulnerabilities that are frequently present in 3rd party services and libraries.

Manual testing helps you find vulnerabilities in your own personal code, i.e. your own business logic. This kind of vulnerability testing can’t be easily automated as every system is different and unique and has its own share of unique vulnerabilities.

When purchasing a test, you should make sure that you are paying for a high-quality penetration test that will provide both automatic scanning and manual research. Keep in mind that the majority of the commission will go for manual research as it costs much more to perform and can’t be automated.

Summary

Buying a penetration test is a complex task, specifically when comparing two vendors. We highly recommend that you understand the goal of the penetration test before asking for quotes. Is it for certification only? Do your clients request it? How important is the security level for your company? 

After understanding your internal needs make sure the vendor you work with has experience in your technological field. And the penetration tester that will work on your platform has past experience in the field as well as having publicly available CVEs. 

Verify with the vendor how much of the budget is designated for automated tests and how much is designated for manual tests, manual tests should take the majority of the price.

Ask the vendor for an example penetration test report and review the severity and complexity of the findings, also ask for references from past clients.

And as for all complex decisions, trust your gut and stay safe!