Penetration testing also known as offensive security testing, is in high demand due to the unquenchable need for continuous testing of security defenses deployed for business-critical assets like web applications, networks, mobile applications, cloud environments and your sensitive, mission-critical data.
According to the Ponemon Institutes State of Offensive Security Report, “68% of respondents say their organizations conduct offensive security testing with third-party offensive security service providers. 27% rely on external testing only, while 41% combine testing by both internal and third-party offensive security service providers. Organizations select third parties for their offensive security testing based on their effectiveness, customization of engagements, and quality of deliverables.”
Entrusting live penetration testing services to the wrong vendor can, at best, waste resources and at worst, leave you more exposed than when you started. Select a penetration tester carefully. According to the Ponemon report, The five most important criteria when engaging offensive security vendors are:
It sometimes seems that everybody who has an interest in cybersecurity wants to be a penetration tester. The truth is that not everybody has the mindset for it, and even fewer have the skills. It requires a particular approach to problem-solving, comprehensive domain expertise as a penetration tester, and a thorough understanding of the technologies and solutions in play in the environment you are testing.
The obvious approach is to look for qualifications. But even these are a mixed bag. A popular exam is Certified Ethical Hacker (CEH), a popular entry-level certificate. Though there is nothing wrong with it – entry-level is not what you should be looking for. Long considered the gold standard for hackers. The OSCP exam has been held up as the minimum that you should be looking for. However, though it is a challenging exam to pass and can serve as a mandatory minimum expression of competence, it is still not enough to assure you that you will get the service you need.
So how to judge? I suggest you look for two things – a sample report and references. Does the report look like a reformatted vulnerability scan? Can you talk to previous clients who advocate for the work? Unfortunately, no exam will tell you that you are hiring the right team – so you will need to do your due diligence.
The report you get from your test team needs to achieve many things. First, it needs to give the technical team responsible for remediation enough insight so that they can fix any problems discovered. It needs to walk you through the entire testing engagement to understand what they did, what worked, and what didn't. But more than that, it needs to give you sufficient insight into the threats and vulnerabilities to assess risk and make business decisions about what to fix and when
A penetration testing company will often roll out its usual offering when they start a test. It's packaged, perhaps semi (or even fully!) automated, targeted to the scope you asked for, and comprises all the usual tests. This is not how attackers work. They survey your attack surface and then head towards the low-hanging fruit – the places they can most easily break in.
From your perspective, these more accessible routes are the highest risk vectors. You need a penetration tester that appreciates that you are not interested in how cool their tools are. You want to keep the bad guys out. Your hired hackers need to be more interested in your business than their tools. So, when you interview them, ensure they are articulating a business focus and have a methodology that identifies and attacks your highest risks. Otherwise – what's the point?
A penetration test is a great way to identify and assess vulnerabilities. A pen test uses creative, blended attacks like real-world adversaries to find weaknesses in their test systems. However, they can only see those weaknesses in the places that they look – this is called the test's scope. The organization determines the scope, but it is often a smaller attack surface than the one that the attacks can find. Better first to have your surface discovered by an Attack Surface Analysis than by an attacker.
An organization's test scope quickly becomes outdated as its attack surface evolves. Risk is continuous. Even the most mature organizations face constant changes in cybersecurity risks. Organizations should begin with an Attack Surface Analysis (ASA) to get the most out of a pen test. An ASA will identify and update the attack surface technical and business risks.
It's all well and good getting a penetration report back that shows how clever the pen testers were and how they exploited all the vulnerabilities and broke in left and right. But it's not that helpful if it doesn't give you the information you need to fix the problems. A good report will tell you for each issue what was found, how it was found, how it was exploited, why it's a problem and potential recommended remediation.
Though a read-out call with the testers can be invaluable to getting the back story and context of any exploits, the report should be able to stand alone in conveying the information needed for the client to make business decisions and perform the remediation.
Ready to get started? Contact Truvantis to schedule an Attack Surface Analysis before scoping your next pen test.
Truvantis is a cybersecurity, compliance and privacy consulting organization with comprehensive experience in implementing, testing, auditing, and operating cybersecurity and information privacy programs. In addition to cybersecurity, compliance and privacy services, we offer cybersecurity training courses and certifications. We are also a PCI DSS, Qualified Security Assessor (QSA).
We specialize in helping our clients improve their cyber governance posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance.
Finding a trusted partner to conduct your penetration testing can be a daunting task. Giving outside personnel the keys to your house and trusting they have the right skill set to not create a RPE (Resume Producing Event) for an IT Security Manager is a rather unique decision point when deciding on a vendor. With Truvantis, there is no such worry. From the scoping, rules of engagement, methodology, communication, reporting, recommendations, and people themselves, Truvantis has proven to be a penetration testing partner that we can depend on.
Truvantis takes the time in each of these phases to ensure that the penetration testing is safe, thorough, and provides the upmost value to its customers. Truvantis provides an easy-to-use scoping document and reviews it with great detail with our team to ensure that we are covering all of our compliance needs. Before starting the testing, the rules of engagement are clearly defined, eliminating any concerns of business disruption. Once testing begins, the Truvantis team does a fantastic about letting our team know when they are starting the testing process and when they conclude for each day, this communication is very important to our internal IT resources.
Once testing concludes, Truvantis provides a very detailed report of their findings and remediation recommendations. During the review of the report, our team really appreciates Truvantis walking us not only through what vulnerabilities they discovered and how to correct them, but also the techniques they leveraged to produce their findings. This transparency is greatly appreciated by our team and also serves as a learning opportunity. All of this is done with the upmost professionalism, while at the same time making our team feel comfortable when discussing any gaps that we need to correct.
As a Truvantis customer for over a decade, it is clear they are passionate about what they do, and we know that we can trust them to perform penetration testing that not only meets security and compliance needs but brings tremendous value as well.
- Heath Stenberg Senior Manager, Information Security and Compliance, Dunn-Edwards Corporation
We know what you’re going through because we’ve been there. Our experts have spent many years inside both large enterprise tech companies and mid-market businesses. We know what its like to lead security inside large complex organizations and we also know what its like to wear many hats and have multiple IT and operational responsibilities not the least of which, includes security.
Vulnerabilities naturally occur in growing businesses as networks and systems expand and merge. In cybersecurity, you rarely solve every vulnerability that you find. It's more about taking a practical risk management approach. There's always a pragmatic way forward to improve cyber-governance, risk mitigation and corporate resilience.
Communication is critical for any cybersecurity or privacy program to be effective. The Truvantis team translates cybersecurity techie-talk to the business domain, providing business-based guidance for Executives and the Board while partnering with IT and R&D to achieve common goals, appearing as a business enabler rather than a security enforcement function.
We understand you must justify the cybersecurity budget, which can be challenging to explain. Security is dynamic, with some reactionary mode, and it changes based on new threats, incidents, and new regulations. The information security officer's role is to work with leadership to determine acceptable levels of risk for the organization.
We help translate IT geek speak into the language of business risk needed to make budget decisions. Armed with the correct data, executives can make informed choices regarding acceptable risks and the security program budget. Build and operate a security program that holistically meets your compliance objectives, risk tolerance, budget, and supports your sales team.
Most businesses today are subject to evolving cybersecurity threats and multiple consumer data privacy regulations like GDPR, HIPAA, CPRA, GLBA and other state, federal and international laws. Our vCISO service can help you build a centralized cybersecurity, data privacy and compliance program.
A risk management approach is the basis of an effective cybersecurity program. A risk management approach identifies vulnerabilities in the information management system, scores them according to priority, and weighs cost against business advantages. As a driving factor, this type of risk management process is often a hard requirement for organizations leveraging business risk insurance.
Your Truvantis vCISO monitorings the changing landscape of security and compliance, and advises you on the impact on your organization. Should you have a security incident, we will lead the execution of your incident response plan.