Selecting a Penetration Testing Provider – Part 2

October 12, 2021

In last week’s blog, I started outlining some of the considerations when choosing a penetration testing provider, including a list of general questions you should ask during your early correspondence with a prospective provider.

As mentioned in my previous post, procuring offensive security services is a relatively new undertaking for many companies, and the complexities can make it an overwhelming process. I hope between my last post and what you are about to read, you feel more informed about the penetration testing process and are able to decide what is needed for your business.

Allow Yourself Time for Scheduling    

With increasingly high demand outstripping the supply of qualified testers, testing firms are often 2-3+ months booked out. Therefore, being proactive and planning for offensive services is very important. Attempting a last-minute emergency penetration test is an invitation to get overcharged or end up with a low-quality test.

At least in the U.S., Q4 is frequently known as a busy period for penetration testing, as organizations empty the last of their budgets, completing work that had annual deadlines after first procrastinating all year…don’t worry, it’s not just you! Conversely, Q3 and the summer months tend to slow down, with many project stakeholders inevitably taking their vacations.

If a firm you are considering is available immediately for an engagement, take time to think about what that means. Sometimes, it is possible that a customer backed out and a spot opened up, but it could also indicate they don’t have much business, which should start ringing alarm bells. Similarly, if a firm requires a 50% payment upfront or some non-standard arrangement, it could indicate they have cash-flow issues or collection issues with their clients. Take what you will from that, but I believe firms that add value, whether large or small, do not have any problems collecting or booking their consultants several weeks in advance in 2021.

Project-Based, Continuous and Crowd-Sourced offerings

While most penetration testing engagements are still point-in-time and project-based, many firms offer “continuous penetration testing” services. This commonly amounts to a less frequent (annual or quarterly, for example), real, manual penetration test, followed by recurring automated scanning. In a worst-case scenario, this involves scheduling a recurring scan and sending you the PDF with no manual attention, exploitation, or post-exploitative activities – which, let’s be clear, is not penetration testing.

Continuous offerings may or may not be valuable to you if you are already performing in-house vulnerability scanning. Do not be afraid to ask how much of their service involves an actual penetration tester (and if they’re not telling you directly, get the SLAs; they should be defined there). If the firm claims “machine learning” or “AI,” don’t be afraid to ask, “How?” and uncover if the technology is there to help enhance the offering, or it is more along the lines of buzzwords they think clients want to hear.       Defensive responses, including words like patented, proprietary, bespoke, etc., could indicate evasion of tough questions.

Crowd-sourced penetration testing is available too. This involves platforms that tout a streamlined vetting process for onboarding testers, engaging them for projects, triaging reported findings, and usually pays testers per bug, similarly to how researchers get paid in bug bounties. If you are considering this, ask about how the workflow is enforced across disparate researchers? How do they keep people from wasting time retesting the same addresses, parameters, and pages? How is full target coverage ensured? Is there a methodology they follow, and how is that distributed? How many person-hours can be expected to be spent? How easy is it to communicate with the individual testers on short notice? Are the testers 1099 contractors or full-time employees? Ultimately, there is no right or wrong type of offering – it is asking the questions and getting the answers that match best what you need that will guide you forward here.

Project Kickoff & Rules of Engagement

Once a project is scoped and agreed upon by both parties, the engagement is typically scheduled along with a kickoff meeting. The kickoff meeting should be held at least a week before testing, and will outline the type of testing to be performed, targets to be tested and rules of engagement.

These rules should define testing time frame restrictions, points of contact, when to notify, and how to proceed with exploitation and post-exploitation activities. Any access to targets such as VPN connectivity, user accounts, MFA enrollment, and such should be handled during this meeting so as not to impede the testing schedule. Typically, the tester and their project manager will attend the call. Do not underestimate the importance of the kickoff meeting: a lack of kickoff call or having it scheduled after the start of testing could indicate an unorganized or disengaged firm.

The Testing Process

Once testing starts, the tester should begin the process of information gathering and threat modeling for targets. Vulnerabilities will be identified, exploited, and privileges escalated according to the rules of engagement agreed upon during the kickoff meeting.

The results of these activities are then documented within a final report. A good report should leave little doubt about what the issues are, why they are important, in what ways they can be remediated, and which ones to prioritize.

Reports often lay out the testing results at different levels for different audiences. However, there are typically at least two major sections: An Executive Summary and Technical Details. Any claimed exploits should be well-documented, usually step-by-step, narrative form, with supporting evidence including screenshots within the technical details. Sometimes a table-formatted list of findings is also included for those in charge of keeping track of individual instances.

Project Wrap-Up

Finally, it is common to schedule a project wrap-up meeting to go over the firm’s final report – included in the project cost, of course). In addition, some firms charge to test for remediation status after you think you have resolved the issues that were most concerning to you. Others offer it for free within a certain time window.

Regardless of what firm or offering you go with, I cannot stress the importance of finding the right provider for you. Often you are testing an application or network that is critical to your business, and sometimes your livelihood too – this is not an area to jump into without doing your due diligence. For more information on how Depth Security can help provide organizations like yours with real-world visibility into threats facing their infrastructure and applications, get in touch here.

Jake Reynolds
Director, Offensive Security Services, Depth Security