Previously, we discussed best practices for tracking vulnerability data through to remediation. In this post, we’re explore the challenge of streamlining human penetration testing (pentesting) data into the vulnerability orchestration process. We provide three best practices you can use when engaging a third-party pentesting company to ensure the pentesting data is delivered in a way that is compatible with your security orchestration process.
Pentesting is an essential threat and vulnerability management process used to discover some of the most important vulnerabilities in your environment. Human pentesters find vulnerabilities that scanners can’t catch, but an attacker will find. The challenge often becomes how to track and remediate those vulnerabilities after the test is complete.
Two Challenges of Pentesting Data for Security Orchestration
Vulnerability scanners use known data formats that don’t change often, which is easy to incorporate into security orchestration tools. Once you’ve integrated your scan results into a vulnerability orchestration process and normalized them, you have some confidence that the process will continue to work as designed. In comparison, pentesters often do not follow a known data format and may add information to the report, in addition to the specific findings.
Findings from third-party penetration testing companies often arrive as a static report in PDF format. This format makes it difficult to streamline those results in an automated way when you expect a standard input. Some reports may come with a CSV file of the findings, which provides a more structured data format, but correlating those findings with existing vulnerabilities may require manual review.
The pentesting company’s report may include custom information. This documents the vendor’s work and shows they did more than a scan, it presents problems for streamlining that data into an orchestrated process – especially if the information must be enriched before sending it to the remediation resources. For instance, the remediation recommendations or the described business impact may not align with your corporate policy. You may disagree with their severity assessment, for example, because you have more knowledge of the asset’s importance or mitigating factors in your environment.
Three Best Practices for Pentest Data Compatibility
Receiving formatted, structured pentest results from a penetration testing company allows you to streamline your vulnerability orchestration process and track the findings through to remediation. The following three best practices can help align the pentest data with your organization’s process.
Provide a template for your expected data format. The data format for the pentest findings must be predefined for your vulnerability orchestration and automation to work properly. You know your format, but the pentesting company doesn’t. Share your format prior to engaging the vendor to ensure they will accommodate your requirements. The best pentesting company will be able to deliver the results in a structured format that’s customized for you.
Provide a reference rubric with IDs for your common vulnerability types. Consider your normalization requirements for vulnerability definitions. If you’ve standardized the common ones, provide a reference rubric that can be added to the results. This rubric will allow you to correlate the test results with an associated reference directly to an existing definition. Once you’ve put the formatted, structured pentest results into your orchestration process, you can track to remediation.
Provide a retest template. When submitting a retest request, ensure that the vendor’s output matches an expected format so you can automate the data marking for closing the vulnerabilities that have been verified. This might be the same format you started with, or it might be a simpler retest template for the vendor to fill out.
These three best practices can help you ensure the pentesting data is compatible with your vulnerability orchestration process.
Read the earlier posts in this series: