Checklist: Getting the Most Value Out of Penetration Testing and Vulnerability Management
You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. And you’ve committed to building an ongoing and continuous vulnerability management program to guard against the potential threats to your assets. Now what?
Putting a successful vulnerability management program in place needs careful consideration up-front to ensure your organization is set up for success to remediate vulnerabilities for each application and system you have. The following checklist breaks the best practices process down and provides you with a planning roadmap to getting the most value out of a penetration testing and vulnerability management program.
Penetration Testing Program Plan of Attack
Deliverable |
Elements of Success |
Requirements |
Step One: The Plan |
Develop a plan that puts structure and strength around cybersecurity to include continuous vulnerability testing and patching, incident response plans, and training and security awareness programs. The ultimate goal? Decrease time to remediation and to close security gaps in your network. Clearly define the scope, objectives, identification of testing, and the order in which they are to be performed. Build a vulnerability management team. This could include both in-house talent as well as industry analysts or consultants. When choosing a pentesting service provider, ask about the credentials of their pentesting team, beyond technical competencies. Will your team be comprised of a dedicated work group or an outsourced group who haven’t previously worked together, for example. Team structure has implications on streamlined communications and in knowing who is inside your network. Augment with careful preliminary risk planning with contingency plans should any services be unintentionally disrupted. Types of penetration testing: |
□ Develop a high-level vulnerability management plan – be sure to include non-negotiables such as scalability and continuous testing □ Present your case to business leadership; gain agreement on budge □ Refine plan and define ownership and scope of your program to include personnel and their roles and responsibilities □ Develop policies, standards, and procedures □ Determine merchandising strategy – to bring visibility to the program’s successes |
Step Two: Scanning and Assessment | Layer in automated scanning functions that deliver results that can be easily sorted and acted upon with human capital to find and fix vulnerabilities. Create an enumeration (list and count) of suspected vulnerabilities that are enumerated only after using multiple automated tools over time, not just one single tool. Build in further analysis of suspected vulnerabilities using specialized tools and manual techniques as required. |
□ Identify all assets you want to scan □ Define vulnerability landscape:
□ Define actionable reporting structure of vulnerabilities □ Deploy automated vulnerability scanning, use authenticated mode to scan high-value resources □ Prioritize pentesting cadence, beginning with an external network penetration test followed by internal network testing □ Commence manual pentesting |
Step Three: Preparing for Risk-Based Remediation | Develop a risk-based remediation plan commensurate with your program’s maturity level and appetite for business risk. Employ a comprehensive verification of high-risk vulnerabilities including but not limited to safe exploitation of these vulnerabilities using both automated and manual processes, including the injection of malicious code when called for. |
□ Rank vulnerabilities through an established remediation timeline. For example:
□ Assign application and system remediation owner □ Build in business leadership approvals for long lead remediations |
Step Four: Ongoing Reporting and Improvement | Automate your vulnerability management program as much as possible: spreadsheets, emails, and document sharing portals are insufficient for most organizations, large ones in particular. Automation enables 24/7 pentest report visibility with business leadership and continuous improvement. Find a penetration testing reporting platform that is engaging and customizable to showcase what is most important to your business, one that can track and compare data over time. |
□ Build a reporting framework – for the pentesting team and for business leadership □ Identify continual improvement opportunities □ Use comparison data to showcase progress over time and highlight successes |
All organizations should aspire to have the people, processes, and tools necessary to effectively execute an ongoing vulnerability management program. Failure to do so may result in poor tool selections, testing mistakes, and faulty interpretation of vulnerability scanner and pentest results that often lead to a false sense of security and could put the enterprise at risk. By building out a vulnerability management plan, as depicted above, you can dramatically increase the security of your enterprise and can be better assured to reach your ultimate goal: to decrease time to remediation and close any security gaps in your network.
Explore more blog posts
Clarifying CAASM vs EASM and Related Security Solutions
Unscramble common cybersecurity acronyms with our guide to CAASM vs EASM and more to enhance attack surface visibility and risk prioritization.
Filling up the DagBag: Privilege Escalation in Google Cloud Composer
Learn how attackers can escalate privileges in Cloud Composer by exploiting the dedicated Cloud Storage Bucket and the risks of default configurations.
Bytes, Books, and Blockbusters: The NetSPI Agents’ Top Cybersecurity Fiction Picks
Craving a cybersecurity movie marathon? Get recommendations from The NetSPI Agents on their favorite media to get inspired for ethical hacking.