Penetration testing is no longer an extraordinary security engagement. Due to regulatory mandates, internal policies, business executive requests and the overall desire to avoid becoming the next breach victim, testing is now commonplace among many organizations. The kind of testing, however, can still be a question. Do you need ad hoc testing, that as-needed affair that takes place once or twice a year? Or do you need a managed testing program that is continual and coordinated by an outside testing team?
The best option for your organization depends on the number of tests you perform a year, the resources you have in-house and the skill sets putting those resources to use.
Knock, Knock … Housekeeping!
No matter the type of program you use, many housekeeping steps take place before and after each testing engagement begins. They may include the following:
- Determining the depth of testing needed
- Finding and performing background checks on testers
- Scheduling windows for testing
- Giving appropriate access credentials to testers
- Creating a virtual private network (VPN) and accounts for testers
- Establishing other rules of engagement
After tests are completed, another set of steps kicks off, including:
- Reading through findings
- Facilitating the remediation of those findings
- Scheduling and performing re-testing to make sure vulnerabilities are patched
While these items may seem simple, in reality, they take time and require some expertise to ensure everything is set up and completed correctly. Accomplishing the pre- and post-testing items can overwhelm any security team.
Imagine you are a company that is required to complete hundreds of tests each year by a certain deadline, for example, when an auditor is scheduled for a visit. Even if you have an in-house resource specifically dedicated to testing management, coordinating all of those steps for hundreds of tests can be impractical.
It may also happen that the person coordinating the testing is not a penetration testing expert, which can lead to important process oversights. If the person typically only manages the scheduling of consultants, and does not have relevant experience, they may not realize a tester needs a certain set of credentials. As a result, the hired penetration testers show up for the project but cannot begin, which wastes your company’s time and money.
Once the testing is finished, the person managing the testing program needs to work with the testers so that the team can understand and promptly fix the highest risk vulnerabilities. If the program manager lacks relevant experience, they may not understand what the findings mean and which actions to take to fix them — all while assets remain exposed to attackers for even longer.
Is Managed Testing for You?
If you are an organization like the one described above, one that must test hundreds of assets each year, a managed penetration testing program may be the best fit for you. After all, managing hundreds of tests while under tight deadlines requires a full-time resource, and if that resource has in-depth penetration testing expertise, it can save you time and money in the long run.
Under a managed program, your testing provider can handle the pre- and post-testing tasks, including prioritizing which assets need testing and determining the timing and depth of testing.
It will also make sure the proper credentials, VPN access and other needs are lined up before the tests begin, and it can oversee re-tests to ensure that patches were applied correctly and that compensating countermeasures were implemented. Think of your provider as the quarterback of your testing team — it will be in charge of calling and running the plays that get the ball to the end zone and afterward, doing it all over again.
You may also want to consider managed testing if you are working to align with regulatory requirements and lack processes or a governance structure. A managed provider can collect key metrics on a monthly or quarterly basis, report to executives and auditors, and help your testing program address the required compliance and security objectives. The provider can also enter the findings into a governance, risk and compliance (GRC) system, track your progress, and even automate the process so that you do not have to manually enter in the findings of hundreds of reports.
Is Ad Hoc Testing for You?
If you do have seasoned penetration testing experts on staff, an unmanaged, ad hoc approach may be best for you, depending on the number of tests you perform a year. An experienced, full-time, in-house resource should understand the penetration testing process and the pre- and post-housekeeping items that come along with it. That team can get the testers cleared, provide the appropriate credentials, define the rules of engagement, schedule tests and lead the remediation process.
While hiring internally may seem less expensive on the surface, it may not be the most effective choice if you don’t have all the right resources to plan, execute and follow up on the job.
Questions to Ask During the Penetration Testing Process
If you are contemplating a managed testing program or an ad hoc program, ask yourself these questions:
- Do our in-house resources lack actual hands-on penetration testing experience?
- Do we have too few resources dedicated to a testing program to do the job properly?
- Do we have too many people spending too much time on our testing program?
- Is it a headache to get all of the pre- and post-testing tasks completed?
- Are we testing hundreds of applications a year?
- Have we needed to delay testing projects because our ducks were not in a row?
- Are we spending too many hours manually entering test findings into our GRC system?
If the answer to any of these questions is “yes,” then you may want to consider a managed program. Testing is an ongoing process that requires continual time, resources and attention, but as many successful businesses know, it’s a worthwhile investment to keep threat actors from getting the best of your organization.
Learn more about X-Force Red’s managed penetration testing program
Associate Partner, X-Force Red
Abby Ross is Associate Partner for X-Force Red, IBM Security's team of veteran hackers. Abby is a seasoned marketing and public relations professional, with ...