Pen Testing or Penetration Testing

If you’re considering hiring an IT security firm for pen testing or penetration testing, you need to ask yourself one question. Am I concerned about passing a test for compliance or do I want the best security testing?

If you just want to pass a test, this document will not help you.

But if you want high-quality IT security testing, keep reading.

We’ll look at the 4 methods of IT security testing, pricing models, proposal evaluation, and questions to ask your vendor.

The 4 Methods of IT Security Testing

Penetration Testing (PT) is a high-quality IT security testing method. It is used to positively identify points of vulnerability.

Pen testers use exploitation to determine the vulnerable points. If a point is successfully exploited it’s considered vulnerability and reported. If not, it’s not reported.

There are no “False Positives” with pen testing.

Penetration testing should be designed to produce levels of threat that are at least equal to those likely to be faced in the “real world.”. Anything less than this is a waste of time.

Pen testing is often used to test to Networks, Web Application, and Physical Security.

Vulnerability Assessments

Vulnerability Assessment (VA) assesses but does not exploit the vulnerabilities that it identifies. This makes it a medium-quality form of IT security testing.

It cannot be applied to…

All these require some from of “exploitation” of the threat. And that is PT not VA.

For this reason, VA  does not replicate real world scenarios the way PT can.

Vulnerability Assessment deliverables can contain False Positives. Therefore, VA is a “good guess.” Not a full test.

VA’s are good for quarterly checkups, source code reviews, and configuration reviews.

Vulnerability Research (VR)

The term “vulnerability research” or VR is an investigation to determine how susceptible something is to attack or harm.

Vulnerability research is often used for advanced source code reviews, reverse engineering, and exploit development.

Vulnerability research is only limited by the project scope and the researchers skill.

Good VRs have a deep understanding of assembler for a wide variety of different architectures and will have extensive experience in reverse engineering technology.

Most talented researchers will also be experts higher-level programming.

Vulnerability Research produces the highest possible levels of threat and closely reflects “real life.” .

VR is often used to create programs that are designed to penetrate into systems.

Automated Scanning (AS)

Automated Scanning is done by a computer program.

Vulnerability scanners attempt to match patterns in the target with patterns in a rule. If there is a match, it assumes that a vulnerability has been identified and reports it.

Automated Scanners are the most limited form of IT security testing. The threats they produce are the least like “real life” and they generate a lot of false positives and negatives.

AS is useful for reconnaissance and should never be a standalone IT security method.

Important Concepts to Keep in Mind When Evaluating Vendors

A penetration test is only as good as the team administering it. They should be able to

Ask pen testing companies to show you proof of research

Penetration Tests must test at levels of threat that are at least equal to that which is produced by malicious hackers. Testing at less than realistic levels of threat is ineffective from a security perspective.

Compliant does not mean secure. Most regulatory requirements can be addressed by poor quality Network Penetration Test. Don’t be fooled.


Measured Attack Surface Pricing

An attack surface is the sum of all potential places where your systems can be attacked.

The vendor must perform a technical assessment to measure the attack surface. This cannot be done manually or by guesswork and estimates.

Then the vendor can determine time requirements. And then calculating pricing.

Target-Count Pricing

This is “price per IP address” or “price per page” pricing.

Some IP addresses might have more attack surface than others.

Some web applications may consist of only one page but have a huge attack surface. And some web applications may consist of multiple pages but have a very small attack surface.

With this pricing, you’ll either be paying too much for not enough work or paying too little and not getting the full testing you need.

And yet, this is the most common form of pricing.

Insist on more accurate assessments and pricing.

Questions to Ask Prospective Vendors

  1. How much do you rely on Automated Scanners? The more Automated Scanners are relied on for testing the lower the test quality and overall results will be.
  2. What are the differences between a Penetration Test and a Vulnerability Assessment? Does the vendor know that a PT uses exploitation to PROVE vulnerability and does not generate false positives?
  3. Does your vendor know that a vulnerability assessment (VA) does not prove vulnerability and generates false positives?
  4. Do you do vulnerability research? If yes, ask for at least three advisories they have published.
  5. Does your company use homemade malware? Homemade malware enables a Penetration Testing vendor to test at realistic levels of threat.
  6. Can you provide a realistic sample report with real-world findings written by a human and not a scanner?

Call the experts at Petronella Technology Group, Inc. today at (877) 468-2721 for world class penetration testers trusted and used by the department of defense, nation states and more.

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews
    Jeremy Richards
    Jeremy Richards
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!