How to Save Money on Pen Testing - Part 1Charles Gillman of Moula Money Offers Tips to Maximize Value and Get Great Results
Regular penetration testing, or pen testing, is an essential part of understanding your organization's security posture by mimicking a cyberattack using the same tools, techniques and procedures as an attacker. The findings from a penetration test can help you identify risks and gaps in your security controls. By identifying and remediating issues before they are discovered by an attacker, you ensure the ongoing security and protection of applications and infrastructure.
Unfortunately, many pen tests fall short of their intended outcomes due to poor scoping, ill-defined goals and unrealistic testing - meaning testing that is too specific and technical or not technical enough.
Adding to the pain of poor outcomes is the cost. A typical pen test engagement can cost anywhere from $10,000 for a one-week engagement to test a basic web application to over $100,000 for a significant project, such as an extensive perimeter pen test for an enterprise. So how do you get the best value for the money you're investing in pen testing?
In Part 1 of this article, I'll take you through six of 11 simple tips to maximize the value of your next pen test and, in the process, deliver better results.
Selecting the Right Vendor
Tip 1: Select your pen test vendor wisely.
Selecting a reasonably priced, skilled pen test vendor with a proven track record and high-quality, usable deliverables will help ensure a quality outcome and leave some budget for more in-depth testing or further tests.
There are three primary considerations when selecting a pen test vendor: price, skills/experience and the quality of their reports.
This is the least important consideration. Most pen testing engagement rates are pretty similar, with a few outliers in the cheap but questionable category and the high-end, over-the-top, platinum version.
Also, look for vendors that bundle retesting of discovered vulnerabilities into the price. If that's not included, it can be 10% to 20% of the cost of the initial test, depending on the vendor and the type of test.
Skill and experience are the next most important criteria. Look for firms with teams of testers that are CREST or OSCP certified. Also, ask for bios on the testers performing the test, and look for mentions of vulnerabilities discovered with CVE numbers or participation in bug bounty programs attributable to the pen test vendor or pen tester.
The quality of the report is the most important criterion for me when choosing a pen test vendor - provided they have adequately skilled testers. It's the report that your organization will be left with when the testers have moved on to their next engagement.
Penetration testing is expensive, and the pre-canned "advice" delivered in a pen test report is often worthless and alarmist. I know; I've written my fair share of pen test reports in the past. Terms like "implement best practice" do nothing to drive the change needed to uplift an organization's security posture.
Look for reports that deliver pragmatic remediation advice, including configuration and code snippets. Most importantly, review sample reports for alarmist findings such as cookie flags marked as "High Risk" - a pet hate of mine. Reports with alarmist findings do nothing to help you drive remediation in your organization.
Also, look for vendors that take reporting further by integrating with your ticketing system to raise tickets for issues they find or that provide videos of their hacks, which can show how simply an attacker can exploit technical security issues.
Types of Testing
Tip 2: Perform White Box Testing to save time and money.
In White Box Testing, you give the pen testers detailed information about the target environments, including domains/subdomains, hostnames, IP addresses, network diagrams, accounts of different privilege levels, Swagger/OpenAPI definitions and even access to source code. Significantly reducing or eliminating the Information Gathering, Reconnaissance and Discovery phases through a White Box Testing approach can provide significant time and cost reductions.
White Box Testing follows an "assume breach" mindset by giving pen testers access that allows them to execute test cases such as privilege escalation, lateral movement and the identification of sensitive systems or data.
Tip 3: Perform Black Box Testing to discover your actual perimeter.
In Black Box Testing, you provide minimal information to the pen testers about the target - for example, only a domain, an IP or hostname, or IP subnet, or as little as a company name. This type of testing is suitable for simulating a targeted attack such as an advanced persistent threat, or APT.
Black Box Testing is also a great way to discover shadow IT. Do you know all of your registered domains? How about your IP address space? Do you know which cloud platforms your organization is using? Are you aware of where all the systems your organization uses are?
You might feel confident in saying "Yes," but you could be surprised at the results of a Black Box Test: turning up domains, cloud usage, SaaS and shadow IT you weren't aware of. Remember, you can't protect what you don't know about.
Scoping for the Most Bang for Your Buck
Correctly scoping a pen test is the key to extracting maximum value from your pen testing investment.
Tip 4: Don't use pen testers as expensive vulnerability scanners.
If your organization isn't up to date with patches, why would you use penetration testers as expensive human vulnerability scanners? Why use penetration testers to tell you what your vulnerability management program can already tell you?
For example, if you give a decent pen tester access to most internal networks that aren't updated with critical patches, they should have Windows Domain Admin in a day.
Infrastructure pen testing of internal networks that aren't up to date with patches will yield thick pen test reports with just about guaranteed exploitation. You should ensure your penetration testing is targeted, as you'll see in the following tips.
Tip 5: Select user-defined test cases to identify company-specific vulnerabilities.
Most pen test organizations will define standard test cases in their statement of work, typically the OWASP Top 10. While these are important test cases, as the security professional in your business, you will have concerns, misgivings or known risks for the tested systems. You can convert these to test cases and provide them to the pen test vendor when scoping the test.
In typical company-specific test cases, I'll ask to include horizontal and vertical privilege escalation in applications. For financial applications, I'll request a range of repudiation or fraud-based test cases, such as negative amounts in payments.
Also, don't forget to include test cases derived from previously discovered vulnerabilities found through breaches, threat intelligence or pen tests.
Tip 6: Select objective-based testing to target a specific test case.
Objective-based testing is setting a clear objective - no surprise there - for the testers. The object is to execute against a particular test case or threat. Can the pen testers gain access to the CEO's laptop? Can they gain access to SAP Payroll?
Objective-based testing helps validate or invalidate internal assumptions around control efficacy or risk likelihood for the chosen objective.
How do you choose the objective? Every security leader has a "what keeps me up at night" issue that gnaws at them, and objective-based testing can be used in the penetration test to run those scenarios.
In Part 2 of this article, I'll continue discussing how to correctly scope a pen test, starting with leveraging your risk register to create test cases, and take you through tips seven to 11.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Charles Gillman is head of information security at Moula Money. He has over 15 years of experience across security consulting, ethical hacking, cybercrime research, security architecture, security operations and security leadership roles. He built and led information security teams at two of Australia's largest banks before moving to senior roles in the cloud and managed services space.