With cyberattacks getting more sophisticated, the number of companies open to pentesting grows. Also known as “ethical hacking,” penetration testing discovers critical system vulnerabilities and helps patch them up before cybercriminals get to them. As a cybersecurity vendor, Iterasec is happy to see that enterprises take penetration testing seriously, and its market is expected to reach $4.5 billion by 2025.
But with great demand comes supply, and we might soon witness an abundance of underqualified pentesting vendors. How do you choose the right one, and how can you make the most out of your cooperation? In this blog post, we share four tips on making your application and network pentest truly valuable and effective.
1. Know your pentest objectives and goals
Setting the right objectives is your first step to successful pentesting.
Answer yourself this: Why do you need pentesting, and what exactly do you want to achieve with it? Is it just a formal pentest for compliance? Or is it a constructive pentest that will let you evaluate your security posture?
The two objectives are very different. The first one is as simple as checking the necessary checkboxes, while the second one can actually influence product success. They also require different skills and sometimes even mindsets.
Additionally, you should consider the level of input you’re willing to provide. This will determine if the pentesting is going to be:
- Black box (when no information about the system is provided)
- White box (when full system background information about the system is provided)
- Grey box (when the pentester has limited knowledge of the system)
These modes will also have different outcomes: black box pentesting can make a good simulation of an attack, but it might also mask some issues because of time limits. Cybercriminals, on the other hand, usually have loads of time and inspiration to meticulously hack into your system.
2. Select a pentesting team
The next step is selecting the team that will do your system’s pentesting. Your first instinct would be to look for a pentest vendor who works according to numerous methodologies (OSSTMM, OWASP Testing Guide / ASVS, PTES) and can boast professional certifications (CEH, OSCP/OSCE) — the more, the better.
But while these accomplishments are noteworthy (especially when required by regulations), unfortunately, they don’t guarantee anything. Simply put, hackers will not use a formal or certified approach to breach your system. Instead, they will try to find the most practical solution.
We’ve seen brilliant security engineers and pentesters with no certifications and completely useless specialists with lots of certificates on their walls. It’s what they do with the pentesting results that matters most. Do they merely show you the outcomes of the test, or do they provide actionable insights on closing the gaps found? Aim for the partner that goes with the second scenario.
And before you make your choice, consider these points:
- Check how efficient, creative, and connected to the security reality their approach is. Which vulnerabilities do they typically report? What is their style? How deeply do they investigate the possible attack chains and consequences of exploitation? Do they demonstrate the attacker’s business gains from the vulnerabilities?
- Make sure the pentester knows how to structure a pentest: how to collect enough information about the system or app under pentest, how to perform threat modeling, how to prioritize attack vectors, etc.
- Check if the pentester uses automated tools/scanners — but only as a tool, not as the ultimate instrument for producing pentest reports and generating findings. Pentesting is a combination of art and science, and unique ideas are key to really juicy findings.
3. Ensure skilled delivery management
Pentest is a project, not magic. And just like any other project, it has to be managed properly, so look for a vendor who really knows how to do it.
Here are some indicators of finely-tuned pentest project management:
- The assigned project manager (PM) or delivery manager (DM) is knowledgeable in information security. This is important since a skilled PM should detect when the team stalls and starts running in circles and could refocus the team to look in other directions.
- There are enough meetings (starting/result meeting) as well as regular interim status updates.
- The team sticks to the rules: working during the specified hours, pentesting from dedicated IP addresses, etc.
- All deadlines are met thanks to realistic estimates and excellent planning skills.
- The team handles re-tests in a timely manner.
- Client feedback is carefully gathered for retrospective and improvements.
Working with a dedicated pentest project manager guarantees the results you get are actionable and will help improve your cybersecurity posture, not merely inform you of the breaches discovered.
4. Find a vendor that understands engineering and IT
Professional pentesters shouldn’t be disconnected from the engineering world. This is important because they need to:
- Convey the identified issues to developers and consult them
- Provide balanced recommendations on how to fix the identified issues
- Know where more or less focus is needed
For example, if pentesting discovers your Kubernetes cluster security policies are not configured correctly, the results should include the recommended configuration, not just the tip to reconfigure the policy.
The bottom line
Penetration testing is a serious and sensitive issue. It’s serious because preventing cybersecurity breaches is easier than patching up a broken reputation of a company that doesn’t protect data well enough. It is also sensitive since you can’t let just anyone do your system’s pentesting, especially if it’s white box.
This is why we recommend choosing a pentesting partner with a solid reputation, like the one Iterasec is proud to uphold. Contact us, and we will help you get the most value out of your next application pentesting!