In today’s world of automated hacking systems, frequent data breaches and consumer protection regulations such as GDPR and PCI DSS, penetration testing is now an important security requirement for organizations of all sizes. But what should you look for when choosing the right supplier?
The sheer number of providers can be daunting and finding someone who can deliver a high quality test at a reasonable price is not easy. How do you know if they are good? What level of security expertise was included in the report? Is your application secure, or is the vendor simply missing a weak spot?
There are no easy answers, but you can make it easier by asking the right questions beforehand. The most important considerations fall into three categories: certifications, experience, and price.
Certificates are the best place to start as they provide a fast track to building trust. There is no shortage of professional certifications, but one of the most well-known is CREST (Council of Registered Ethical Security Testers).
COMB was created by leading UK pen testing consultancies precisely to address this issue and is now an internationally recognized mark of quality across a range of cyber security disciplines.
However, you still need to know what to look for, as CREST has both company-level certification and individual certifications where each tester must pass an exam to prove their skills. Having one doesn’t mean having the other.
Company-wide accreditation (a “CREST Member Company”) is awarded to companies that can demonstrate that their policies, processes and procedures are compliant. This allows penetration testing companies to demonstrate that they follow good practice on paper and use appropriate security testing methodologies. However, asking a “participating CREST company” to perform a pen test does not guarantee that the consultant performing your test is certified themselves, only that the company is morally obligated to provide you with a suitable tester.
Make sure you ask about the tester who will be doing the work – do they have the relevant certifications and experience?
For this reason, CREST also has different levels even for individual testers, from entry-level certifications to challenging practice exams in different areas of specialization. It is important to look at both the level of certifications and whether they are specific to the type of penetration testing you are looking for. Below we have outlined the available CREST certificates for penetration testing:
|Whether you’re looking for a junior, senior, or specialist will depend on your organization’s risk appetite. Governments usually ask for specialists, startups with lower risk profiles may do well with juniors.|
While certifications are useful, they cannot cover everything. There are many types of technology and you can’t pass the exam in every one. As you can see from the chart above, there is no CREST exam for AWS, embedded devices, or mobile apps.
Penetration testers are like doctors; they have a wide range of knowledge and skills, but there isn’t always a playbook for the patient you’re dealing with. That’s when experience can come into play.
Another important factor is the experience of your pen tester. The more exposure they’ve had, the better they’ll be at uncovering a wider range of security threats.
It’s also important to note that not all experiences are created equal, as some types of testing may involve specific skills in specific technologies, such as AWS Cognito or the Real-Time Messaging Protocol. Make sure your vendor has the appropriate expertise in the technologies you are working with.
Remember that there may not be a tester with experience with all technologies, so you may need to be flexible. A good penetration tester will be able to learn about the technology to be tested based on skills and principles from other disciplines, but may take more time to become familiar with the technology. What can affect the price…
Asking customers about the average cost of a penetration test is like asking how long a piece of rope is. It depends on what you are working with and how deep you need to go. Imagine you are painting a bridge: it depends on how big it is and how many layers of paint you want. One coat can leave you exposed to the elements.
|Asking how much a pen test costs is like asking how much it costs to paint a bridge. It depends on the size of the bridge, any complicating factors, and how much coverage you want.|
Pen tests are therefore usually quoted on a ‘day rate’ basis and very broadly you can expect to be paid in the £800-£1500 range.
Day rates vary from provider to provider depending on things like reputation, certifications and special requirements and experience, although discounts can be negotiated if you buy a lot of days (anything over fifteen days will be considered a large trial ).
To understand how long your work will take, the vendor will often need to get a demo version of your product or gather information about your environment. Generally, the fewer questions they ask at this stage, the less likely you are to get an accurately quoted paper.
There are also no standards when it comes to the scope of a piece of work, so you may find different estimates. One supplier may cover the job as 3 business days and another as 5. These are best estimates; it’s hard to be sure until you’ve done the work.
You can even purchase “fixed fee” pentests, but going back to the bridge analogy, you should probably be concerned about coverage if they offer it for a flat fee without asking how much work.
As with everything in life, the quoted price should reflect the quality of the penetration test, but in an industry where it is difficult to judge the quality of the test, there are bound to be rogue traders. Ask the right questions and do your due diligence.
Going beyond point-in-time penetration tests
There are serious problems with using penetration testing as the sole method of detecting vulnerabilities.
First, while in-depth penetration testing only covers a specific point in time. With 20 new vulnerabilities discovered every day, your penetration test results are likely to be out of date by the time you receive the report.
Not only that, but the reports can take up to six months to produce because of the work involved, plus several months to digest and take action.
They can be very expensive – often costing thousands of pounds each time.
Given that hackers are finding more sophisticated methods to break into your systems, what modern solution is best to keep you one step ahead?
To get the most comprehensive view of your security, you need to combine automated vulnerability scanning with human-led penetration testing.
Intruder Vanguard does just that, combining security expertise and consistent coverage to find what other scanners can’t. It bridges the gap between traditional vulnerability management and point-in-time penetration testing to ensure continuous monitoring of your systems. With the world’s leading security experts on hand, they’ll dig deeper, find more vulnerabilities and provide guidance on their direct impact on your business to help you keep attackers at bay.
The intruder is a cybersecurity company that helps organizations reduce their attack surface by providing continuous vulnerability scanning and penetration testing services. Intruder’s powerful scanner is designed to quickly detect critical vulnerabilities, attack surface changes, and rapidly scan infrastructure for emerging threats. By running thousands of scans that include misconfigurations, missing patches, and web-layer issues, Intruder makes finding enterprise-level vulnerabilities simple and accessible for everyone. Intruder’s high-quality reports are ideal for handing over to potential clients or for compliance with security regulations such as ISO 27001 and SOC 2.
Intruder offers a 30-day free trial their vulnerability assessment platforms. Visit their website today to give it a try!