Choosing The Right Penetration Testing Vendor (Fall 2019 Version)
Pen Testing or Penetration Testing
If you’re considering hiring an IT security firm for pen testing or penetration testing, you need to ask yourself one question. Am I concerned about passing a test for compliance or do I want the best security testing?
If you just want to pass a test, this document will not help you.
But if you want high-quality IT security testing, keep reading.
We’ll look at the 4 methods of IT security testing, pricing models, proposal evaluation, and questions to ask your vendor.
The 4 Methods of IT Security Testing
Penetration Testing (PT) is a high-quality IT security testing method. It is used to positively identify points of vulnerability.
Pen testers use exploitation to determine the vulnerable points. If a point is successfully exploited it’s considered vulnerability and reported. If not, it’s not reported.
There are no “False Positives” with pen testing.
Penetration testing should be designed to produce levels of threat that are at least equal to those likely to be faced in the “real world.”. Anything less than this is a waste of time.
Pen testing is often used to test to Networks, Web Application, and Physical Security.
Vulnerability Assessment (VA) assesses but does not exploit the vulnerabilities that it identifies. This makes it a medium-quality form of IT security testing.
It cannot be applied to…
- Social Engineering
- Running Web Applications.
- Distributed Metastasis (Pivoting)
All these require some from of “exploitation” of the threat. And that is PT not VA.
For this reason, VA does not replicate real world scenarios the way PT can.
Vulnerability Assessment deliverables can contain False Positives. Therefore, VA is a “good guess.” Not a full test.
VA’s are good for quarterly checkups, source code reviews, and configuration reviews.
Vulnerability Research (VR)
The term “vulnerability research” or VR is an investigation to determine how susceptible something is to attack or harm.
Vulnerability research is often used for advanced source code reviews, reverse engineering, and exploit development.
Vulnerability research is only limited by the project scope and the researchers skill.
Good VRs have a deep understanding of assembler for a wide variety of different architectures and will have extensive experience in reverse engineering technology.
Most talented researchers will also be experts higher-level programming.
Vulnerability Research produces the highest possible levels of threat and closely reflects “real life.” .
VR is often used to create programs that are designed to penetrate into systems.
Automated Scanning (AS)
Automated Scanning is done by a computer program.
Vulnerability scanners attempt to match patterns in the target with patterns in a rule. If there is a match, it assumes that a vulnerability has been identified and reports it.
Automated Scanners are the most limited form of IT security testing. The threats they produce are the least like “real life” and they generate a lot of false positives and negatives.
AS is useful for reconnaissance and should never be a standalone IT security method.
Important Concepts to Keep in Mind When Evaluating Vendors
A penetration test is only as good as the team administering it. They should be able to
- perform their own research
- write their own code
- understand how exploits work
- write their own exploits
Ask pen testing companies to show you proof of research
- 3 or more published advisories
- 3 or more published research articles
- 3 or more published exploits.
Penetration Tests must test at levels of threat that are at least equal to that which is produced by malicious hackers. Testing at less than realistic levels of threat is ineffective from a security perspective.
Compliant does not mean secure. Most regulatory requirements can be addressed by poor quality Network Penetration Test. Don’t be fooled.
Measured Attack Surface Pricing
An attack surface is the sum of all potential places where your systems can be attacked.
The vendor must perform a technical assessment to measure the attack surface. This cannot be done manually or by guesswork and estimates.
Then the vendor can determine time requirements. And then calculating pricing.
This is “price per IP address” or “price per page” pricing.
Some IP addresses might have more attack surface than others.
Some web applications may consist of only one page but have a huge attack surface. And some web applications may consist of multiple pages but have a very small attack surface.
With this pricing, you’ll either be paying too much for not enough work or paying too little and not getting the full testing you need.
And yet, this is the most common form of pricing.
Insist on more accurate assessments and pricing.
Questions to Ask Prospective Vendors
- How much do you rely on Automated Scanners? The more Automated Scanners are relied on for testing the lower the test quality and overall results will be.
- What are the differences between a Penetration Test and a Vulnerability Assessment? Does the vendor know that a PT uses exploitation to PROVE vulnerability and does not generate false positives?
- Does your vendor know that a vulnerability assessment (VA) does not prove vulnerability and generates false positives?
- Do you do vulnerability research? If yes, ask for at least three advisories they have published.
- Does your company use homemade malware? Homemade malware enables a Penetration Testing vendor to test at realistic levels of threat.
- Can you provide a realistic sample report with real-world findings written by a human and not a scanner?
Call the experts at Petronella Technology Group, Inc. today at (877) 468-2721 for world class penetration testers trusted and used by the department of defense, nation states and more.