23 June, 2021
Third-party penetration testing basics
Penetration testing exercises seek to discover existing vulnerabilities in the IT infrastructure. If these vulnerabilities are addressed in time, an organization most likely prevents a security incident from happening. Regular penetration testing exercises help organizations in understanding their current security posture and suggests the measures they can take for improving it continuously. When an organization seeks to conduct penetration tests, it has multiple options available. It can either ask its internal security team to do it or outsource it to an external service provider.
Considering that the security team is already familiar with the internal architecture, their testing methods may not exactly replicate those of the attackers. Many security experts believe that penetration testing exercises must be similar to what an attacker does in real-life situations. Further, the security team may give biased findings to hide their shortcomings at times. Hence, it is generally recommended to get a penetration testing partner onboard so that they can help in identifying vulnerabilities and loopholes before the attackers do.
Common reasons for outsourcing penetration testing to a third-party service provider
In our penetration testing engagements, we seek to understand why our client has availed of our services so that we can make appropriate modifications to suit their business requirements. Over the years, we have come to an understanding that an organization outsources penetration testing exercises:
- To discover the vulnerabilities missed by internal security team(s);
- To demonstrate their commitment to information security by conducting 3rd party exercises;
- To avail better return on investments by outsourcing penetration testing instead of setting up in-house capability;
- To ensure that minimum investments are required, and their penetration testing exercise will involve well-known tools that have become global standard over the years;
- To adopt tailored and suitable methodologies with the latest tools, tactics, and procedures (TTPs); and,
- To conduct third party security testing by allowing offensive security exercises to be conducted on their systems, just like the attackers would do.
Third-party penetration testing engagement: The basics
1. Scope and initial discussions
Depending on the scope of penetration tests, you must see if a prospective service provider is asking for relevant security information from your side. For example, if it is a white box penetration test, an ideal service provider would ask for information such as network maps, user credentials, and access to your information. On the other hand, a black box penetration test does not require the penetration testing team to have any information about the target systems.
2. Contractual and administrative controls
Before sharing any confidential information, you must ensure that there is a non-disclosure agreement in place. From a liability point of view, another consideration you should see is whether the prospective service provider has liability insurance to compensate you, in case if your proprietary information is lost. In the initial meetings, your organization should designate an individual to coordinate with the service provider. An ideal service provider would always ask for a point of contact (POC) so that there are no communication gaps.
3. Due diligence and credibility
If your company has an information security management system in place, it will require you to conduct a vendor due diligence exercise. Ideally, your prospective service provider must not hesitate in sharing information about their credibility. You can also ask a prospective vendor about their clientele and a few references as a part of your due diligence exercise.
At times, certain service providers present highly qualified individuals as their team members, while inexperienced individuals perform the actual test. Before signing a contract, you should check the composition of the vendor’s penetration testing team.
4. Technical expertise and knowledge
Before you select a vendor to perform penetration tests, you must ask technical questions when they present their services. A prospective vendor must be well-versed with your technical architecture. For example, if they only specialize in Windows operating systems, and your company uses Linux-based OS, the penetration test is going to be ineffective right from day 1. So, it is a recommended practice to check the expertise of your prospective vendor and achieve peace of mind.
5. Costing and reporting
Ideally, vendors would provide you with multiple reports. The extent of technical information available in each report will vary, depending on the target audience. A report meant for the security team will be highly detailed while a report for the top management will be very specific. So, it would be best if you asked your prospective vendor about their sample reports to get an idea about what you would see after the test. There is no denying that cost plays a crucial role in the decision-making process. However, you must accept that you get what you pay for. The best advice is to discuss with multiple vendors, review their previous work, ask for a quotation, and choose the one that suits your business requirements.
Ending notes: After test activities
While outsourcing penetration testing exercises to a third party, you are also granting them access to sensitive organizational data if they were to exploit an existing vulnerability successfully. There should be sufficient contractual controls in place to define what happens to data that the penetration testing provider gets access to. Further, you should see if your prospective vendor will be helping you with the mitigation of vulnerabilities and retests to confirm that they have been patched. BreachLock clients access their secure SaaS client portal to track their vulnerability assessments and penetration tests from a single dashboard. The cloud platform combines the power of machines and human intelligence to offer a comprehensive security testing service. Once the vulnerabilities have been addressed, the platform enables your security team to order a retest in a matter of few clicks. Schedule a discovery call with our team today!