How to Choose the Best Penetration Testing Vendor
From January to May 2020 alone, reports have confirmed a staggering amount of financial loss due to frauds. This, coupled with increasing data breach incidents and cyberattacks, should be enough of a wakeup call for all organisations in Singapore to ponder seriously about their data protection policies and security provisions in place. Among these provisions is vulnerability assessment and penetration testing (VAPT), a service collectively known as ethical hacking. Among others, this method is one of the most effective ways of handling security risks.
Ethical hacking identifies and spots potential vulnerabilities in an organisation’s digital space. This is done by attacking the security infrastructure through harmless means. The objective of this controlled attack is to strengthen the organisation’s IT and security infrastructure.
So how often should an organisation conduct penetration testing? The frequency of this test depends on the company’s risk appetite; that is, their relevant assets, the sensitive data they manage, plus what applicable tests are related to each asset. Hence, before performing any test, it is vital to first conduct an inventory of all these various assets.
Now more than ever, businesses need penetration testing
Through VAPT being performed at regular intervals, organisations can determine the technicalities in their IT infrastructure and react accordingly by putting up the proper security controls to mitigate the security gaps. This service allows your business to spot potential cyberattacks and security threats and patch them at the soonest time possible, way before attackers can misuse them.
Additionally, mitigating the risk of a cyberattack or a data breach lowers the possibility of incurring hefty financial penalties, and increases your organisation’s trustworthiness and integrity. In other words, penetration tests should be an integral part of any organisation’s security program.
In-house or third-party?
While some organisations may consider getting an in-house pentester to conduct vulnerability assessment, there is wisdom in leveraging an outsider to do this. Even if you have your own staff of pentesters, getting a third-party vendor will complement your setup by bringing in new insights of your defense posture, enhanced by their experience in testing other applications. It should be noted that pentesting is both a science and an art, requiring the grit of experience and pushing the boundaries of creativity when it comes to ethical hacking.
For smaller organisations, getting a third-party vendor makes sense from a financial standpoint than maintaining an in-house team of experts. Due to budget constraints, there are organisations that tend to put off getting offensive security until they become victims of a ransomware attack. This should not be the case.
On choosing a third-party vendor
Now that we have established the necessity of a third-party vendor to cover your offensive security, here are considerations you must bear in mind when selecting your external provider of VAPT services. The prospective third-party pen tester must:
- Be certified and experienced – The first thing to check is whether the potential vendor is certified. In Singapore, for instance, these include CREST, OSCP, and OWASP. Another factor to check is how long they have been in the space, and if they have enough experience handling multiple industries and different environments. This ensures that the team knows what they are doing.
- Deliver clear reports with recommendations that are prioritised according to risks – Apart from being easy to understand, reports must contain summary data for executives and detailed insights for technical staff. Furthermore, the report must have a prioritised risk-based list of findings with comprehensive step-by-step recommendations. Where applicable, screenshots on steps taken to exploit systems must be included. Your team must be able to understand and recreate the findings stated in the report. Because come to think of it: if you can’t understand the report or take actionable steps based on the findings, the entire penetration test is useless.
- Be able to conduct both manual and automated testing – While automated tools are good enough and quick to detect certain vulnerabilities, they cannot spot all and are prone to getting false positives. A great penetration test must involve the combination of several tools and manual techniques.
- Adhere to a documented workflow – There must be an organised, well-documented protocol before, during, and after any penetration testing process. This ensures that the test is complete, accurate, and can be repeated. Even though this is typically very high-level, the workflow must also contain detailed steps.
- Follow a Rules of Engagement (ROE) document for definite expectations – Having an ROE ensures that all stakeholders and participants are on the same page and there are no last-minute changes or surprises during the test. This also ensures that expectations are set. The ROE document must be signed by the organisation and the pentesting vendor. In this way, there is mutual clarity in moving forward with the process.
- Be clear and consistent in communicating – As with any other service, routine communication must be practiced during the penetration test. This should be the case when the testing commences, or when critical findings are discovered, and more. Similar to the ROE, clear and consistent communication throughout the penetration testing process is crucial to the success of the process.
- Exhibit professionalism and respect – Although this is already obvious, it still needs to be highlighted. The mindset of the penetration testing team should be that the focus of the test is to help the organisation secure their environment, not create an environment for them to hone their skills or try out new stunts. Exploiting the system beyond what is in the ROE is bad practice. In this regard, the team must be able to provide ‘testimonials’ and references from previous clients.
- Detect and remove false positives – A false positive happens when a vulnerability or a problem is supposedly detected when in reality, there isn’t one at all. The third-party vendor must make all efforts to remove false positives and identify questionable findings. Circling back to the discussion earlier, this is why manual analysis is crucial. Receiving a report with false positives can be a waste of your time.
- Offer options to “retest” – After the submission of test report findings, many organisations do take the necessary steps to fix the issues identified by penetration testers. However, some may not have validated if the steps worked. The penetration testing team must offer an option to conduct a rerun of the test after the remediation.
- Be able to protect your data, both during and after the test – As mentioned earlier, the penetration testing team must adhere to a documented process to ensure that the organisation’s data remains secure. Reports must be labeled accordingly, handled with care, and shared only to authorised staff of the organisation.
Whenever a data breach or a cyberattack occurs, the organisation suffers more than just the financial repercussions. Trust from stakeholders as well as the integrity of the entire organisation are at stake. Why not take measures now to protect your systems, your employees, and your clients from a cyberattack? In this regard, Singapore has several certified and qualified third-party vendors for your penetration testing needs. Once you’ve done your due diligence, leverage their services now before it’s too late.
Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.
Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.
Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.