In today’s world of automated hacking systems, frequent data breaches and consumer protection regulations such as GDPR and PCI DSS, penetration testing is now an essential security requirement for organisations of all sizes. But what should you look for when choosing the right provider?
The sheer number of providers can be daunting, and finding one which can deliver a high-quality test at a reasonable price is not easy. How do you know if they’re any good? What level of security expertise was included in the report? Is your application secure, or did the supplier simply not find the weaknesses?
There are no easy answers, but you can make it easier by asking the right questions up front. The most important considerations fall into three categories: certifications, experience, and price.
Certifications are the best place to start, as they provide a quick shortcut for building trust. There’s no shortage of professional certifications available, but one of the most well-recognised is CREST (Council of Registered Ethical Security Testers).
CREST was set up by the UK’s leading pen testing consultancies precisely to solve this problem, and it is now an internationally-recognised hallmark of quality for a variety of cyber security disciplines.
You still need to know what to look for though, as CREST have both a company-level certification, as well as individual certifications where each tester must pass an exam to prove their skills. Having one does not mean you have the other.
The company-wide accreditation (‘CREST member company’) is given to companies that can prove their policies, processes and procedures are up to scratch. This allows penetration testing companies to show that they follow good practices on paper, and use appropriate security testing methodologies. However, asking a ‘CREST member company’ to carry out a pen-test does not guarantee that the consultant performing your test is certified themselves – merely that the company is morally obliged to provide you with a suitable tester.
Make sure you ask about the actual tester that will carry out the work — do they have appropriate certifications and experience?
For that reason, CREST also has different levels even for the individual testers, from entry-level certificates to complex practical examinations in different specialist areas. It’s important to look at both the level of certifications, and whether they’re specific to the type of penetration testing you are looking for. We’ve outlined the available CREST certifications for penetration testing below:
|Whether you’re looking for a junior, senior or specialist would depend on your organisation’s risk appetite. Governments would usually ask for specialists, startups with lower risk profiles might be fine with juniors.|
While certifications are useful, they can’t cover everything. There are many types of technology out there, and you can’t have an exam to cover every single one. As you can see from the diagram above, there is no CREST exam for AWS, or for embedded devices, or mobile applications.
Penetration testers are like doctors; they have a broad set of knowledge and skills, but there isn’t always a textbook for the patient you’re dealing with. That’s when experience can come into play.
Another big factor is the experience your pen tester has under their belt. The more exposure they’ve had, the better they will be at uncovering a wider range of security threats.
It’s also important to note that not all experience is equal, as some types of testing can involve specific skills in particular technologies, like AWS Cognito, or the Real Time Messaging Protocol. Make sure your provider has relevant experience in the technologies you’re working with.
Remember, there may not be a tester with experience in every technology out there, so you may need to be flexible. A good penetration tester will be able to learn about the technology you need testing, based on skills and principles from other disciplines, but it might take them longer to become familiar with the technology at hand. Which could have a knock-on effect on the price…
When customers ask the average cost of a penetration test, it’s like asking how long is a piece of string. It depends what you’re working with, and how deep you need to go. Imagine painting a bridge: it depends how big it is, and how many coats of paint you want. One coat could leave you exposed to the elements.
|Asking how much does a pen-test cost is like asking how much it would cost to paint a bridge. It depends on the size of the bridge, any complicating factors, and how much coverage you want to get.|
Therefore, pen tests are usually quoted on a ‘day-rate’ basis, and very broadly, you can expect to pay anything in the range of £800-£1500.
Day rates vary from vendor to vendor based on things like reputation, certifications, and special requirements and experience, although discounts can be negotiated if you’re buying lots of days (anything more than fifteen days would be considered a large test).
To understand how long your job will take, the vendor will often need to get a demo of your product, or gather information about your environment. As a rule of thumb, the less questions they ask at this stage, the less likely you are to get an accurately quoted piece of work.
There’s also no standard when it comes to scoping a piece of work, so you might find estimates differ. One supplier may scope a job as 3-days’ work, and another as 5. These are best estimates; it’s hard to be sure until you’re doing the work.
You can even buy “fixed-fee” pentests, but going back to the bridge analogy, you should probably be concerned about coverage if they’re offering it for a fixed fee without asking how big the job is.
As with everything in life, the price you’re quoted should reflect the quality of the penetration test – but in an industry where the quality of a test is hard to judge, there are bound to be some rogue traders. Ask the right questions and don’t skip due diligence.
Going beyond point-in-time penetration tests
There are major issues with using penetration testing as your sole vulnerability detection method.
Firstly, while in depth, penetration testing only covers a point in time. With 20 new vulnerabilities identified every day, your penetration test results are likely to be out of date as soon you receive the report.
Not only that but reports can take as long as six months to produce because of the work involved, as well as several months to digest and action.
They can be very expensive – often costing thousands of pounds each time.
With hackers finding more sophisticated methods to break into your systems, what is the best modern solution to keep you one step ahead?
In order to gain the most comprehensive picture of your security posture, you need to combine automated vulnerability scanning and human-led penetration testing.
Intruder Vanguard does just that, bringing security expertise and continuous coverage together to find what other scanners can’t. It fills the gap between traditional vulnerability management and point in time penetration tests, to provide a continuous watch over your systems. With the world’s leading security professionals on hand, they’ll probe deeper, find more vulnerabilities, and provide advisories on their direct impact on your business to help you keep attackers at bay.
Intruder is a cyber security company that helps organisations reduce their attack surface by providing continuous vulnerability scanning and penetration testing services. Intruder’s powerful scanner is designed to promptly identify high-impact flaws, changes in the attack surface, and rapidly scan the infrastructure for emerging threats. Running thousands of checks, which include identifying misconfigurations, missing patches, and web layer issues, Intruder makes enterprise-grade vulnerability scanning easy and accessible to everyone. Intruder’s high-quality reports are perfect to pass onto prospective customers or comply with security regulations, such as ISO 27001 and SOC 2.
Intruder offers a 30-day free trial of their vulnerability assessment platform. Visit their website today to take it for a spin!