Penetration testing is no longer an extraordinary security engagement. Due to regulatory mandates, internal policies, business executive requests and the overall desire to avoid becoming the next breach victim, testing is now commonplace among many organizations. The kind of testing, however, can still be a question. Do you need ad hoc testing, that as-needed affair that takes place once or twice a year? Or do you need a managed testing program that is continual and coordinated by an outside testing team?

The best option for your organization depends on the number of tests you perform a year, the resources you have in-house and the skill sets putting those resources to use.

Knock, Knock … Housekeeping!

No matter the type of program you use, many housekeeping steps take place before and after each testing engagement begins. They may include the following:

  • Determining the depth of testing needed
  • Finding and performing background checks on testers
  • Scheduling windows for testing
  • Giving appropriate access credentials to testers
  • Creating a virtual private network (VPN) and accounts for testers
  • Establishing other rules of engagement

After tests are completed, another set of steps kicks off, including:

  • Reading through findings
  • Facilitating the remediation of those findings
  • Scheduling and performing re-testing to make sure vulnerabilities are patched

While these items may seem simple, in reality, they take time and require some expertise to ensure everything is set up and completed correctly. Accomplishing the pre- and post-testing items can overwhelm any security team.

Imagine you are a company that is required to complete hundreds of tests each year by a certain deadline, for example, when an auditor is scheduled for a visit. Even if you have an in-house resource specifically dedicated to testing management, coordinating all of those steps for hundreds of tests can be impractical.

It may also happen that the person coordinating the testing is not a penetration testing expert, which can lead to important process oversights. If the person typically only manages the scheduling of consultants, and does not have relevant experience, they may not realize a tester needs a certain set of credentials. As a result, the hired penetration testers show up for the project but cannot begin, which wastes your company’s time and money.

Once the testing is finished, the person managing the testing program needs to work with the testers so that the team can understand and promptly fix the highest risk vulnerabilities. If the program manager lacks relevant experience, they may not understand what the findings mean and which actions to take to fix them — all while assets remain exposed to attackers for even longer.

Is Managed Testing for You?

If you are an organization like the one described above, one that must test hundreds of assets each year, a managed penetration testing program may be the best fit for you. After all, managing hundreds of tests while under tight deadlines requires a full-time resource, and if that resource has in-depth penetration testing expertise, it can save you time and money in the long run.

Under a managed program, your testing provider can handle the pre- and post-testing tasks, including prioritizing which assets need testing and determining the timing and depth of testing.

It will also make sure the proper credentials, VPN access and other needs are lined up before the tests begin, and it can oversee re-tests to ensure that patches were applied correctly and that compensating countermeasures were implemented. Think of your provider as the quarterback of your testing team — it will be in charge of calling and running the plays that get the ball to the end zone and afterward, doing it all over again.

You may also want to consider managed testing if you are working to align with regulatory requirements and lack processes or a governance structure. A managed provider can collect key metrics on a monthly or quarterly basis, report to executives and auditors, and help your testing program address the required compliance and security objectives. The provider can also enter the findings into a governance, risk and compliance (GRC) system, track your progress, and even automate the process so that you do not have to manually enter in the findings of hundreds of reports.

Is Ad Hoc Testing for You?

If you do have seasoned penetration testing experts on staff, an unmanaged, ad hoc approach may be best for you, depending on the number of tests you perform a year. An experienced, full-time, in-house resource should understand the penetration testing process and the pre- and post-housekeeping items that come along with it. That team can get the testers cleared, provide the appropriate credentials, define the rules of engagement, schedule tests and lead the remediation process.

While hiring internally may seem less expensive on the surface, it may not be the most effective choice if you don’t have all the right resources to plan, execute and follow up on the job.

Questions to Ask During the Penetration Testing Process

If you are contemplating a managed testing program or an ad hoc program, ask yourself these questions:

  • Do our in-house resources lack actual hands-on penetration testing experience?
  • Do we have too few resources dedicated to a testing program to do the job properly?
  • Do we have too many people spending too much time on our testing program?
  • Is it a headache to get all of the pre- and post-testing tasks completed?
  • Are we testing hundreds of applications a year?
  • Have we needed to delay testing projects because our ducks were not in a row?
  • Are we spending too many hours manually entering test findings into our GRC system?

If the answer to any of these questions is “yes,” then you may want to consider a managed program. Testing is an ongoing process that requires continual time, resources and attention, but as many successful businesses know, it’s a worthwhile investment to keep threat actors from getting the best of your organization.

Learn more about X-Force Red’s managed penetration testing program

More from Application Security

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…