As any student knows, you can still fail an exam even if you know the subject matter cold. To pass, you have to show up; you have to be able to assemble a coherent sentence; you must be able to follow directions. The same thing is true when you conduct a penetration test.
Penetration testing networks or web applications has become increasingly important for enterprises as an added layer of defense against escalating attack sophistication. It is far more thorough than simple vulnerability scanning and is a required element of many compliance frameworks. But it also isn’t free: companies can spend many thousands of dollars on third-party penetration tests, sometimes only getting minimal value from it. Their enterprise may be secure; they may have the most iron-clad defenses; but if they aren’t adequately prepared, don’t understand the scope of the testing, or otherwise don’t know how to best leverage the engagement, they will fail to extract its full value.
Below are a number of things enterprises can do to maximize penetration testing success.
Deciding to do a pentest puts you in great company – it sets you apart from your competitors. Before you begin looking for vendors, consider your scope and define your budget. Scope will in part be defined by the compliance standards that must be addressed, both now and in the future (e.g., could your business expand to the EU where GDPR is in play?). Also, collect details of your web applications: the more information that you provide the penetration testing firm, the more refined their cost estimate will be.
Next, assemble a list of questions to screen prospective vendors to assess their knowledge, process, and fit for your organization:
Penetration Testing Techniques
To assess their thoroughness, ask whether they will: use manual techniques for examining code and exploitation; use multiple automated application scanners across applications; test the business logic of the application; use proprietary tools that you can’t recreate for verification purposes; and what their process is for retesting. Additionally, consider whether you want the team to test in your production or development environments and find out if they can support this need. This is a more common request granting virtualization and cloud deployments, and not all vendors will support it.
To understand how much visibility you will have into their results, ask whether they will provide the raw tool outputs with the report and if the report will show the full attack chain and logic that triggered the vulnerability.
To better determine fit for your needs and their flexibility, determine their scheduling process (will they move your engagement up if you are fully prepared?) and what their entire engagement cycle looks like from sale to post-remediation, including their reporting format and update frequency during and after the engagement, whether they will alert you immediately to critical findings, etc. Some testing firms will give discounts to customers who are able to quickly take advantage of their sudden schedule gaps; if you are fully ready, you could save money. Don’t be afraid to ask questions – you are new to the process and they are not; they should be supportive of your information requests.
You will then want to ensure your environment and staff are ready for the test: Prepare test accounts and whitelisting and submit/approve tickets before you even have a schedule established. Don’t schedule testing unless your applications and network are ready for prime time. For example, don’t time your testing during major code changes, huge architecture overhauls, deployments, or support staff vacations.
During the Penetration Test
During the engagement, expect your tester/s to provide you with updates of rough activities and findings daily or weekly, depending on the length of the engagement. It’s tempting to be very involved, ask detailed questions, etc., but be mindful that the more interaction you require from the tester, the less time he or she can devote to testing your environment.
Once the tester has completed their work, but prior to receiving the full report, we recommend asking for a full list of high-level findings. This allows you to prepare leaders, technical staff, and other departments that remediation might be necessary, reducing surprises and allowing for deliberate planning vs reactive panic.
While it may be difficult to be patient, allow your testers ample time to complete a quality, detailed report. Spend time assisting the testers with any questions they have during this time, which will help them validate/invalidate assumptions made during the testing phase. Getting the report to the most accurate picture of the risk and vulnerabilities is the end goal.
The results of a penetration test should be viewed as an opportunity to improve and remediate issues, making your organization more secure. Using the tips provided above, you can get more from it, discover more vulnerabilities that need to be addressed, and ensure the test is spanning the environments you most need evaluated—while providing the level of transparency you need to effectively drive change.