Recently, I received a call from a long-time friend of mine with who I had never had the opportunity to work professionally. His company was launching a new online store, and after hearing his plans, we conducted an application penetration test to ensure it was secure for launch. This was the last person I thought I would have career intersectionality with, but it made me stop and think. With global penetration testing estimated to maintain above 20% CAGR (compound annual growth) over the next five years, more professionals are finding themselves in the position of needing to plan for, and procure offensive services. This may be due to regulatory compliance, to fulfill a customer requirement, internal due diligence, or even more likely, a combination of similar reasons.
Procuring offensive security services is not a very large ask from those who have done this repeatedly over the last couple of decades. However, this relatively new industry can seem a bit strange to newcomers, and procuring anything of any complexity for the first time can be intimidating. Since Depth Security focuses on providing quality offensive service, I thought it would be helpful to outline how a typical engagement works, from pre-sales to completion, and highlight some qualities that are important in a testing provider. By the end of the blog, you should feel more informed about the penetration testing process and be able to decide what is needed for your business.
Testing the Water
Before jumping into the deep end, it is beneficial to select multiple vendors and walk through the scoping and proposal process with them to see the options available to you. While it is more time-consuming, spending time comparing and testing to see how the relationship feels will help you feel more confident about the choice you make in the end. And be wary: a quick Google search for penetration testing will yield hundreds of companies vying for your business, but just like anything, the firm with the highest marketing budget is not necessarily the firm with the highest quality or value.
A better way to find your ideal partner is to talk to your peers. Word of mouth is powerful, and it works in both directions. For example, firms providing low-value internal penetration test reports full of low-severity or unexploited findings would be great to know about from an avoidance perspective. Try finding someone you know who has worked with multiple penetration testing firms and ask them which ones have made the most impact. You should ask them to be as candid as possible to help you get a full picture, without breaking any NDAs of course.
Pre-engagement interactions set the foundation for success in many projects, and penetration testing is no different. Depending on the firm, you may be working with an account representative, a sales engineer, or even a penetration tester directly if it is a small firm. If they have multiple levels of testing, they should be able to explain those tiers in a way that makes you feel like you understand them. While penetration testing typically refers to runtime or “black box” testing, many firms may offer static or “white box” assessments, or even hybrids of the two, particularly for application security testing. The firms you speak with should be able to articulate their various offerings clearly.
Your individual needs should also influence the type of testing services required since differing targets require different methodologies. Do not be afraid to ask about the differences in methodology between, say, wireless and wired, external versus internal, network versus application, or one type of application vs. another. Testing firms should be happy and able to explain the difference clearly. And if they can’t…that’s an easy way to rule them out!
Check the Certifications
Be aware that various certifications exist for the security industry, including some offensive-focused specifications. There are some, such as CISSP, CEH, and Security+ that only require unfocused, multiple-choice/multiple-answer, written exams to be certified. None of these have enough offensive security rigor to move the needle in a tester’s level of skill.
Instead, look for lab-based certifications such as those from Offensive Security, eLearn Security and CREST, which can be good signs that the testing firm not only has the knowledge but has gone the extra mile to validate their claim.
However, there are well-certified penetration testers who do subpar work, and non-certified veterans you would be lucky to have on your project and vice versa. This is why getting to know your testing provider on more than just a superficial level is important. It just so happens that at Depth Security, a little over 75% of our testers are OSCP-certified. Additionally, 25% are OSCE-certified at the time of this writing, and many have other certs as well. However, it does not directly correlate with seniority, as a couple of our most impressive, most requested testers have no certs.
And finally, I have personally worked with OSCPs who never managed to get an external shell in the wild. It is possible to pass a difficult exam, even a proctored lab-based exam, but have issues applying those lessons in the real world. When evaluating testing providers, certifications are only one piece of the puzzle; they should not be used as absolutes or as gatekeeping devices.
Asking the Right Questions
During the scoping period, you should first be asked fundamental questions, and later, more specific ones. The proper scoping of engagements ensures appropriate coverage of targets by allotting a proportional amount of time to test them. For example, do you want to test your entire network or just a single application? Are you worried about internal or external perspectives? Authenticated or without credentials? Wireless or wired? Are social engineering attacks such as phishing more concerning, or are you worried about server-side attacks where none of your people even come into play? Maybe both? What is a worst-case scenario for your organization? What is the reason for the test in the first place?
More specifically, if you are asking for application penetration testing, they should be inquiring, “What kind?” and “What size?” Follow-up questions about a mobile app should be different from questions about an API or a browser-based application. It can feel good to receive a quote without having to answer a bunch of questions about testing targets; we are all busy. However, this is a red flag that a firm is arbitrarily pricing their engagements without a solid understanding of how long it will take them to get thorough coverage. You might check an audit box with this approach, but three days of testing against a target set that required 13 is still negligent.
And here are some general questions you might ask of prospective providers in your correspondence when choosing firms:
- Do you offer free remediation testing later after bugs are fixed?
- Are all testers full-time employees with the firm, or are they just 1099 contractors?
- Will testing traffic be sourced from the US or are testers global?
- Have the team members released any public research regarding bugs or tooling?
- Can I communicate directly with my tester(s), or do I always have to go through a project manager? What about questions after a project ends?
- What kind of certifications does the team hold? What percentages of the team have these certs?
- What level of web application/api coverage is provided on network penetration tests?
- What would a typical final report look like?
- What percentage of your tests result in a documented attack narrative containing remote code execution or significant levels of remote access?
Regardless of what firm or offering you go with, I cannot stress the importance of finding the right provider for you. Stayed tuned for Part 2 of this blog post, which will outline even more considerations for choosing a vendor, and offers some insight into the penetration testing process. If you have any questions in the meantime, please visit Depth Security online.