Why choosing the best penetration testing vendor matters
In 2020, CNA reported that 43% of overall crime in Singapore was attributed to cybercrime. This, coupled with increasing data breach incidents and cyberattacks as published by the PDPC, should be enough for Singapore organisations to be serious about their data protection policies and security provisions in place. Among these provisions is conducting regular vulnerability assessment and penetration testing (VAPT), a service collectively known as ethical hacking. This method is one of the most effective ways of mitigating security risks.
Penetration testing, also known as ethical hacking, identifies and spots potential vulnerabilities in an organisation’s digital space. This is done by attacking the security infrastructure through harmless means. The objective of this controlled attack is to strengthen the organisation’s IT and security infrastructure.
The frequency of a penetration testing test depends on the company’s risk appetite; that is, their relevant online assets, the sensitive data they manage, plus what applicable tests are related to each asset. Hence, before performing any test, it is vital to first conduct an inventory of all these various assets.
Considering the thorough VAPT process plus the sensitive files involved, getting the best penetration testing vendor is crucial.
Now more than ever, businesses need penetration testing
Through VAPT being performed at regular intervals, organisations can determine the technicalities in their IT infrastructure and react accordingly by putting up the proper security controls to mitigate the security gaps. This service allows your business to spot potential cyberattacks and security threats and patch them at the soonest time possible, way before attackers can misuse them. Organisations must also be aware of the 5 phases of penetration testing that can benefit their system.
Additionally, mitigating the risk of a cyberattack or a data breach lowers the possibility of incurring hefty financial penalties, and increases your organisation’s trustworthiness and integrity. In other words, a regular penetration test should be an integral part of any organisation’s security program.
Should you build an in-house VAPT team or outsource it?
While some organisations may consider getting an in-house pentester to conduct vulnerability assessment, there is wisdom in leveraging an outsider to do this. Even if you have your own staff to perform the exercise, outsourcing your penetration testing services will complement your setup by bringing in unbiased insights of your defense posture, enhanced by their experience in testing other applications. It should be noted that pen testing is both a science and an art, requiring the grit of experience and pushing the boundaries of creativity when it comes to ethical hacking.
Also, for smaller organisations, getting a third-party vendor makes sense from a financial standpoint than maintaining an in-house team of experts. Due to budget constraints, there are organisations that tend to put off getting offensive security until they become victims of a ransomware attack. This should not be the case.
On choosing a third-party vendor
Now that we have established the purpose of penetration test and necessity of a third-party vendor to cover your offensive security, here are considerations when selecting your external provider of VAPT services. The prospective third-party pen tester must:
- Be certified and experienced – The first thing to check is whether the potential vendor is certified. In Singapore, for instance, these include CREST, OSCP, and OWASP. It should be noted that the Cyber Security Agency of Singapore also mandated cybersecurity services providers in Singapore to be licensed. For instance, Privacy Ninja’s CSRO license (Entity) is License No. CS/PTS/C-2022-0218. Another factor to check is how long they have been in the industry, and if they have enough experience handling multiple industries and different environments. This ensures that the team knows what they are doing.
- Deliver clear reports with recommendations that are prioritised according to risks – Apart from being easy to understand, VAPT reports must contain summary data for executives and detailed insights for technical staff. Furthermore, the report must have a prioritised risk-based list of findings with comprehensive step-by-step recommendations. Where applicable, screenshots of steps taken to exploit systems must be included. Your team must be able to understand and recreate the findings stated in the report. Because come to think of it: if you can’t understand the report or take actionable steps based on the findings, the entire penetration test is useless.
- Be able to conduct both manual and automated testing – While automated tools are good enough and quick to detect certain vulnerabilities, they cannot spot all and are prone to getting false positives. A great penetration test must involve the combination of several tools and manual techniques. Privacy Ninja, for example, can conduct both as long as this is made clear in the agreement.
- Adhere to a documented workflow – There must be an organised, well-documented protocol before, during, and after any penetration testing process. This ensures that the test is complete, accurate, and can be repeated. Even though this is typically very high-level, the workflow must also contain detailed steps.
- Follow a Rules of Engagement (ROE) document for definite expectations – Having an ROE ensures that all stakeholders and participants are on the same page and there are no last-minute changes or surprises during the test. This also ensures that expectations are set. The ROE document must be signed by the organisation and the pentesting vendor. In this way, there is mutual clarity in moving forward with the process.
- Be clear and consistent in communicating – As with any other service, routine communication must be practiced during the penetration test. This should be the case when the testing commences, or when critical findings are discovered, and more. Similar to the ROE, clear and consistent communication throughout the penetration testing process is crucial to the success of the process.
- Exhibit professionalism and respect – Although this is already obvious, it still needs to be highlighted. The mindset of the penetration testing team should be that the focus of the test is to help the organisation secure their environment, not create an environment for them to hone their skills or try out new stunts. Exploiting the system beyond what is in the ROE is bad practice. In this regard, the team must be able to provide ‘testimonials’ and references from previous clients.
- Detect and remove false positives – A false positive happens when a vulnerability or a problem is supposedly detected when in reality, there isn’t one at all. The third-party vendor must make all efforts to remove false positives and identify questionable findings. Circling back to the discussion earlier, this is why manual analysis is crucial. Receiving a report with false positives can be a waste of your time.
- Offer options to “retest” – After the submission of test report findings, many organisations do take the necessary steps to fix the issues identified by penetration testers. However, some may not have validated if the steps worked. The penetration testing team must offer an option to conduct a rerun of the test after the remediation. At Privacy Ninja, for instance, we offer a free revalidation test. It’s almost like giving you another round of VAPT for free! What’s more, we can work around your timeline.
- Be able to protect your data, both during and after the test – As mentioned earlier, the penetration testing team must adhere to a documented process to ensure that the organisation’s data remains secure. Reports must be labeled accordingly, handled with care, and shared only to authorised staff of the organisation.
Whenever a data breach or a cyberattack occurs, the organisation suffers more than just financial repercussions. Trust from stakeholders as well as the integrity of the entire organisation are on the line. Why not take measures now to protect your systems, your employees, and your clients from a cyberattack? In this regard, Singapore has several certified and qualified third-party vendors for your penetration testing needs. Once you’ve done your due diligence, leverage their services now before it’s too late.