April 29, 2020 By Abby Ross, @HonestAb2 4 min read

Penetration testing is no longer an extraordinary security engagement. Due to regulatory mandates, internal policies, business executive requests and the overall desire to avoid becoming the next breach victim, testing is now commonplace among many organizations. The kind of testing, however, can still be a question. Do you need ad hoc testing, that as-needed affair that takes place once or twice a year? Or do you need a managed testing program that is continual and coordinated by an outside testing team?

The best option for your organization depends on the number of tests you perform a year, the resources you have in-house and the skill sets putting those resources to use.

Knock, Knock … Housekeeping!

No matter the type of program you use, many housekeeping steps take place before and after each testing engagement begins. They may include the following:

  • Determining the depth of testing needed
  • Finding and performing background checks on testers
  • Scheduling windows for testing
  • Giving appropriate access credentials to testers
  • Creating a virtual private network (VPN) and accounts for testers
  • Establishing other rules of engagement

After tests are completed, another set of steps kicks off, including:

  • Reading through findings
  • Facilitating the remediation of those findings
  • Scheduling and performing re-testing to make sure vulnerabilities are patched

While these items may seem simple, in reality, they take time and require some expertise to ensure everything is set up and completed correctly. Accomplishing the pre- and post-testing items can overwhelm any security team.

Imagine you are a company that is required to complete hundreds of tests each year by a certain deadline, for example, when an auditor is scheduled for a visit. Even if you have an in-house resource specifically dedicated to testing management, coordinating all of those steps for hundreds of tests can be impractical.

It may also happen that the person coordinating the testing is not a penetration testing expert, which can lead to important process oversights. If the person typically only manages the scheduling of consultants, and does not have relevant experience, they may not realize a tester needs a certain set of credentials. As a result, the hired penetration testers show up for the project but cannot begin, which wastes your company’s time and money.

Once the testing is finished, the person managing the testing program needs to work with the testers so that the team can understand and promptly fix the highest risk vulnerabilities. If the program manager lacks relevant experience, they may not understand what the findings mean and which actions to take to fix them — all while assets remain exposed to attackers for even longer.

Is Managed Testing for You?

If you are an organization like the one described above, one that must test hundreds of assets each year, a managed penetration testing program may be the best fit for you. After all, managing hundreds of tests while under tight deadlines requires a full-time resource, and if that resource has in-depth penetration testing expertise, it can save you time and money in the long run.

Under a managed program, your testing provider can handle the pre- and post-testing tasks, including prioritizing which assets need testing and determining the timing and depth of testing.

It will also make sure the proper credentials, VPN access and other needs are lined up before the tests begin, and it can oversee re-tests to ensure that patches were applied correctly and that compensating countermeasures were implemented. Think of your provider as the quarterback of your testing team — it will be in charge of calling and running the plays that get the ball to the end zone and afterward, doing it all over again.

You may also want to consider managed testing if you are working to align with regulatory requirements and lack processes or a governance structure. A managed provider can collect key metrics on a monthly or quarterly basis, report to executives and auditors, and help your testing program address the required compliance and security objectives. The provider can also enter the findings into a governance, risk and compliance (GRC) system, track your progress, and even automate the process so that you do not have to manually enter in the findings of hundreds of reports.

Is Ad Hoc Testing for You?

If you do have seasoned penetration testing experts on staff, an unmanaged, ad hoc approach may be best for you, depending on the number of tests you perform a year. An experienced, full-time, in-house resource should understand the penetration testing process and the pre- and post-housekeeping items that come along with it. That team can get the testers cleared, provide the appropriate credentials, define the rules of engagement, schedule tests and lead the remediation process.

While hiring internally may seem less expensive on the surface, it may not be the most effective choice if you don’t have all the right resources to plan, execute and follow up on the job.

Questions to Ask During the Penetration Testing Process

If you are contemplating a managed testing program or an ad hoc program, ask yourself these questions:

  • Do our in-house resources lack actual hands-on penetration testing experience?
  • Do we have too few resources dedicated to a testing program to do the job properly?
  • Do we have too many people spending too much time on our testing program?
  • Is it a headache to get all of the pre- and post-testing tasks completed?
  • Are we testing hundreds of applications a year?
  • Have we needed to delay testing projects because our ducks were not in a row?
  • Are we spending too many hours manually entering test findings into our GRC system?

If the answer to any of these questions is “yes,” then you may want to consider a managed program. Testing is an ongoing process that requires continual time, resources and attention, but as many successful businesses know, it’s a worthwhile investment to keep threat actors from getting the best of your organization.

Learn more about X-Force Red’s managed penetration testing program

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today