In today’s world of automated hacking systems, frequent data
breaches and consumer protection regulations such as GDPR and PCI
DSS, penetration testing is now an essential security requirement
for organisations of all sizes. But what should you look for when
choosing the right provider?
The sheer number of providers can be daunting, and finding one
which can deliver a high-quality test at a reasonable price is not
easy. How do you know if they’re any good? What level of security
expertise was included in the report? Is your application secure,
or did the supplier simply not find the weaknesses?
There are no easy answers, but you can make it easier by asking
the right questions up front. The most important considerations
fall into three categories: certifications, experience, and
price.
Certifications
Certifications are the best place to start, as they provide a
quick shortcut for building trust. There’s no shortage of
professional certifications available, but one of the most
well-recognised is CREST (Council of Registered Ethical Security
Testers).
CREST[1]
was set up by the UK’s leading pen testing consultancies precisely
to solve this problem, and it is now an internationally-recognised
hallmark of quality for a variety of cyber security
disciplines.
You still need to know what to look for though, as CREST have
both a company-level certification, as well as individual
certifications where each tester must pass an exam to prove their
skills. Having one does not mean you have the other.
The company-wide accreditation (‘CREST member company’) is given
to companies that can prove their policies, processes and
procedures are up to scratch. This allows penetration testing
companies to show that they follow good practices on paper, and use
appropriate security testing methodologies. However, asking a
‘CREST member company’ to carry out a pen-test does not guarantee
that the consultant performing your test is certified themselves –
merely that the company is morally obliged to provide you with a
suitable tester.
Make sure you ask about the actual tester that will carry out
the work — do they have appropriate certifications and
experience?
For that reason, CREST also has different levels even for the
individual testers, from entry-level certificates to complex
practical examinations in different specialist areas. It’s
important to look at both the level of certifications, and whether
they’re specific to the type of penetration testing you are looking
for. We’ve outlined the available CREST certifications for
penetration testing below:
 |
| Whether you’re looking for a junior, senior or specialist would depend on your organisation’s risk appetite. Governments would usually ask for specialists, startups with lower risk profiles might be fine with juniors. |
While certifications are useful, they can’t cover everything.
There are many types of technology out there, and you can’t have an
exam to cover every single one. As you can see from the diagram
above, there is no CREST exam for AWS, or for embedded devices, or
mobile applications.
Penetration testers are like doctors; they have a broad set of
knowledge and skills, but there isn’t always a textbook for the
patient you’re dealing with. That’s when experience can come into
play.
Experience
Another big factor is the experience your pen tester has under
their belt. The more exposure they’ve had, the better they will be
at uncovering a wider range of security threats.
It’s also important to note that not all experience is equal, as
some types of testing can involve specific skills in particular
technologies, like AWS Cognito, or the Real Time Messaging
Protocol. Make sure your provider has relevant experience in the
technologies you’re working with.
Remember, there may not be a tester with experience in every
technology out there, so you may need to be flexible. A good
penetration tester will be able to learn about the technology you
need testing, based on skills and principles from other
disciplines, but it might take them longer to become familiar with
the technology at hand. Which could have a knock-on effect on the
price…
Price
When customers ask the average cost of a penetration test, it’s
like asking how long is a piece of string. It depends what you’re
working with, and how deep you need to go. Imagine painting a
bridge: it depends how big it is, and how many coats of paint you
want. One coat could leave you exposed to the elements.
 |
| Asking how much does a pen-test cost is like asking how much it would cost to paint a bridge. It depends on the size of the bridge, any complicating factors, and how much coverage you want to get. |
Therefore, pen tests are usually quoted on a ‘day-rate’ basis,
and very broadly, you can expect to pay anything in the range of
£800-£1500.
Day rates vary from vendor to vendor based on things like
reputation, certifications, and special requirements and
experience, although discounts can be negotiated if you’re buying
lots of days (anything more than fifteen days would be considered a
large test).
To understand how long your job will take, the vendor will often
need to get a demo of your product, or gather information about
your environment. As a rule of thumb, the less questions they ask
at this stage, the less likely you are to get an accurately quoted
piece of work.
There’s also no standard when it comes to scoping a piece of
work, so you might find estimates differ. One supplier may scope a
job as 3-days’ work, and another as 5. These are best estimates;
it’s hard to be sure until you’re doing the work.
You can even buy “fixed-fee” pentests, but going back to the
bridge analogy, you should probably be concerned about coverage if
they’re offering it for a fixed fee without asking how big the job
is.
As with everything in life, the price you’re quoted should
reflect the quality of the penetration test – but in an industry
where the quality of a test is hard to judge, there are bound to be
some rogue traders. Ask the right questions and don’t skip due
diligence.
Going beyond point-in-time penetration tests
There are major issues with using penetration testing as your
sole vulnerability detection method.
Firstly, while in depth, penetration testing only covers a point
in time. With 20 new vulnerabilities identified every day, your
penetration test results are likely to be out of date as soon you
receive the report.
Not only that but reports can take as long as six months to
produce because of the work involved, as well as several months to
digest and action.
They can be very expensive – often costing thousands of pounds
each time.
With hackers finding more sophisticated methods to break into
your systems, what is the best modern solution to keep you one step
ahead?
In order to gain the most comprehensive picture of your security
posture, you need to combine automated vulnerability scanning and
human-led penetration testing.
Intruder Vanguard[2]
does just that, bringing security expertise and continuous coverage
together to find what other scanners can’t. It fills the gap
between traditional vulnerability management and point in time
penetration tests, to provide a continuous watch over your systems.
With the world’s leading security professionals on hand, they’ll
probe deeper, find more vulnerabilities, and provide advisories on
their direct impact on your business to help you keep attackers at
bay.
About Intruder
Intruder[3]
is a cyber security company that helps organisations reduce their
attack surface by providing continuous vulnerability scanning and
penetration testing services. Intruder’s powerful scanner is
designed to promptly identify high-impact flaws, changes in the
attack surface, and rapidly scan the infrastructure for emerging
threats. Running thousands of checks, which include identifying
misconfigurations, missing patches, and web layer issues, Intruder
makes enterprise-grade vulnerability scanning easy and accessible
to everyone. Intruder’s high-quality reports are perfect to pass
onto prospective customers or comply with security regulations,
such as ISO 27001 and SOC 2.
Intruder offers a 30-day free
trial[4] of their vulnerability
assessment platform. Visit their website today to take it for a
spin!
References
- ^
CREST
(www.crest-approved.org) - ^
Intruder
Vanguard (www.intruder.io) - ^
Intruder
(www.intruder.io) - ^
Intruder
offers a 30-day free trial
(www.intruder.io)
Read more https://thehackernews.com/2022/10/tips-for-choosing-pentesting-company.html