The Penetration Testing Paradox: Criteria for Evaluating Providers
Fast forward to 2020 and businesses will find that the pentesting industry is made up of a lot of players offering vulnerability management services. But does that mean all pentesting services offer the same results? Simply stated, the answer is no. To help organizations choose the right team for their pentesting or vulnerability management (VM) program, consider the following four paradoxical attributes that should help CISOs and CIOs select a pentesting partner.
Talent Should be Agile, Yet Consistent Over Time
It’s important to hire a talented pentesting team – one that’s able to look at the environment through the eyes of an attacker and bring their insights of technical risk to the table as the environment and technology become more complex over time. The team needs to be agile to continuously improve and evolve to meet the ever-changing and elevated risk and complexities that your business may face.
While evaluating agility, it’s important to also look at consistency. Does your potential partner have a team orientation versus just an individual, or outsourced consultant, who owns the knowledge? What if that individual moves on to “greener pastures?” It’s my recommendation that you shouldn’t consider a white hat tester who acts alone. Rather, a team that is built around a consistent delivery of quality, service, and results, that can be an extension of your internal team and will bring you the foundational support you need in your vulnerability management program.
The Process Should be Custom Yet Standard
With 640 terabytes of data tripping around the globe every minute, is it possible to put standards around your vulnerability management program? In my opinion, it’s not only possible, it’s a necessity.
Who you get doesn’t have to be what you get, as people so often think. From project management workflows and practitioner guides to standardized checklists and testing playbooks, at NetSPI we have formalized quality assurance and oversight so we can deliver consistent results, no matter who your assigned NetSPI security consultant is. With these standardized processes in place, when new vulnerabilities are identified, we are able to quickly mobilize and study the attack scenario, and if appropriate, we add that specific vulnerability to our lists for future assessments.
Having said that, every situation has its nuances. While understanding that no organization is the same, there may be some commonalities between industries, like similar regulatory bodies to comply with, for example. This allows pentesters to put some standardization into their process while allowing for customization and flexibility that is unique to the client environment from a business or technical perspective.
Technology/IT Should be Automated to Increase Manual Testing
Automated scanning is foundational to any pentesting program. It’s how an organization handles the thousands of results from those scans that is crucial as there will be duplicates, false positives, and many, many data points, oftentimes delivered in spreadsheets or PDFs. Your internal security/IT team is then tasked with sifting through, sorting, and evaluating that data. Is that administrative work the best use of their time?
In my opinion, your internal team should focus on finding solutions for effective and fast vulnerability remediation, rather than spending their time heads down in administrative tasks. It’s up to your pentesting team to identify and communicate the priority vulnerabilities, not hand you a document and wish you luck. Look for a pentesting partner who has tools in place to automate reporting functions and deliver results that can be easily sorted and acted upon so that the majority of human capital investment is focused on finding and fixing vulnerabilities. A favorite quote of mine from NetSPI product manager, Jake Reynolds, exemplifies the mindset of those individuals working to solve the technical complexities of VM, “I want to hack and secure the largest companies in the world…I participate in solving real world problems that affect companies and people across the globe.”
A Focus on Internal R&D Will Strengthen the Entire Security Community
Being able to collaborate with a team is critical in our client relationships. We instill that collaborative mindset through an intense and immersive training program, NetSPI University for entry-level talent. Why dedicate so much time to continued education and mentorship? At NetSPI, we are consistently being asked to see around corners and pentest more and more complex environments. So, training and collaboration are key to helping us grow and scale talent to meet our industry’s evolving needs.
Training and collaboration can’t, and isn’t, just a NetSPI initiative. Collaboration and innovation are key to evolving as an enterprise and as an industry. As I wrote in this blog post, pentesters are intensely creative and have highly curious technical minds, and our team strongly believes that the effort we place in research and development with our colleagues should be shared with the broader security community. Case in point? The NetSPI blog is a treasure trove of information for the pentesting community at large, along with the content on our open source portal.
Final words on this subject: Pentesting services are the same by definition, but none are created equal. When hiring a pentesting service provider to test your applications, cloud, network, or perform a red teaming exercise, think beyond whether they can simply identify vulnerabilities. Consider talent, processes, technology, and culture to ensure you’re getting the most value out of your partnership.