Penetration Testing Paradox: Criteria for Evaluating Pentest Providers

Back in the mid-1960s, computer experts warned of the inevitability of bad actors trying to access information across computer lines. In fact, InfoSec Institute cites that “at the 1967 annual Joint Computer Conference…more than 15,000 computer security experts, government and business analysts discussed concerns that computer communication lines could be penetrated, coining the term [penetration testing or white hat testing] and identifying what has become perhaps the major challenge in computer communications today.”

Fast forward to 2020 and businesses will find that the pentesting industry is made up of a lot of providers offering vulnerability management services. But does that mean all penetration testing services offer the same results? Simply stated, the answer is no. To help organizations choose the right team for their pentesting and vulnerability management (VM) programs, consider the following four paradoxical attributes that should help CISOs and CIOs select a top penetration testing partner.

Pentesting Should be Agile, Yet Consistent Over Time

It’s important to hire a talented penetration testing team – one that’s able to look at the environment through the eyes of an attacker and bring their insights of technical risk to the table as the environment and technology become more complex over time. The pentesting team needs to be agile to continuously improve and evolve to meet the ever-changing and elevated risk and complexities that your business may face.

While evaluating agility, it’s important to also look at consistency. Does your potential pentesting partner have a team orientation versus just an individual, or outsourced consultant, who owns the knowledge? What if that individual moves on to “greener pastures?” It’s my recommendation that you shouldn’t consider a white hat tester who acts alone. Rather, choose a pentesting team built around a consistent delivery of quality, service, and results, that can be an extension of your internal team and will bring you the foundational support you need in your vulnerability management program.

The Pentesting Process Should be Custom Yet Standard

With 640 terabytes of data tripping around the globe every minute, is it possible to put standards around your vulnerability management program? In my opinion, it’s not only possible, it’s a necessity.

Who you get doesn’t have to be what you get, as people so often think. From project management workflows and practitioner guides to standardized pentest checklists and testing playbooks, at NetSPI we have formalized quality assurance and oversight so we can deliver consistent results, no matter who your assigned NetSPI security consultant is. With these standardized processes in place, when new vulnerabilities are identified, we are able to quickly mobilize and study the attack scenario, and if appropriate, we add that specific vulnerability to our pentest checklists for future assessments.

Having said that, every situation has its nuances. While understanding that no organization is the same, there may be some commonalities between industries, like similar regulatory bodies to comply with, for example. This allows pentesters to put some standardization into their process while allowing for customization and flexibility that is unique to the client environment from a business or technical perspective.

Technology/IT Should be Automated to Increase Manual Pentesting

Automated scanning is foundational to any penetration testing program. It’s how an organization handles the thousands of results from those scans that is crucial as there will be duplicates, false positives, and many, many data points, oftentimes delivered in spreadsheets or PDFs. Your internal security/IT team is then tasked with sifting through, sorting, and evaluating that data. Is that administrative work the best use of their time?

In my opinion, your internal team should focus on finding solutions for effective and fast vulnerability remediation, rather than spending their time heads down in administrative tasks. It’s up to your pentesting team to identify and communicate the priority vulnerabilities, not hand you a document and wish you luck. Look for a penetration testing provider who has tools in place to automate pentest reporting functions and deliver results that can be easily sorted and acted upon so that the majority of human capital investment is focused on finding and fixing vulnerabilities. A favorite quote of mine from NetSPI product manager Jake Reynolds exemplifies the mindset of those individuals working to solve the technical complexities of vulnerability management (VM), “I want to hack and secure the largest companies in the world…I participate in solving real world problems that affect companies and people across the globe.”

A Focus on Internal R&D Will Strengthen the Entire Security Community

Being able to collaborate with a team is critical in our client relationships. We instill that collaborative mindset through an intense and immersive training program, NetSPI University, for entry-level security testing talent. Why dedicate so much time to continued education and mentorship? At NetSPI, we are consistently asked to see around corners and penetration test more and more complex environments. So, training and collaboration are key to helping us grow and scale pentesting talent to meet our industry’s evolving needs.

Training and collaboration can’t, and isn’t, just a NetSPI initiative. Collaboration and innovation are key to evolving as an enterprise and as an industry. As I wrote in this blog post, pentesters are intensely creative and have highly curious technical minds, and our team strongly believes that the effort we place in research and development with our colleagues should be shared with the broader security community. Case in point? The NetSPI blog is a treasure trove of information for the pentesting community at large, along with the content on our open source portal.

Final words on this subject: Penetration testing services are the same by definition, but none are created equal. When hiring a penetration testing service provider to test your applications, cloud, network, or perform a red teaming exercise, think beyond whether they can simply identify vulnerabilities. Consider pentesting talent, processes, technology, and culture to ensure you’re getting the most value out of your partnership.