With strengthening regulation and a constant rise of cyber attacks, more and more organization turn to external specialized company to assess their infrastructure company from an attacker point of view. Offensive Security has been around for a while but the surge of service providers require organization to be more diligent when choosing the right service provider.
Experienced tester and Certification
A penetration tester will gain a deep insight into the security and the weakness of an organization’s infrastructure. It is essential that they are highly trusted and competent professional. A company holding a certification to operate, such as the “CREST member company“, ensure the seriousness of the service provider.
At individual level, penetration tester that can prove their experience and is holding recognized certification, such as CREST CRT or Offensive Security OSCP, should be a bare minimum. Conducting a interview with the potential tester can also be a good thing. It is one thing to be a highly technical professional, but it worth nothing without fundamental cybersecurity soft skills.
The ability to analyze the tested environment and to communicate findings to the customer is as much important as pure technical skills.
Manual Testing versus Automated Testing
When contracting with a pentesting company, you must ensure that the prestation goes beyond vulnerability assessment. Automated vulnerability scanning typically starts at the beginning of a penetration testing presentation as a reconnaissance phase. It is one thing to have a vulnerability, it is another thing that this vulnerability is actually exploitable.
A penetration tester will rely on both automated testing and manual assessment. The first to quickly find problem, the second to reduce false positive and false negative. A penetration testing service must always includes manual vulnerability research and exploitation.
This should goes along the quality of the tester. Generally and experienced and certified pentester will follow the appropriate methodology according to the time available and the scope of the mission. A methodology ensure an organized assessment. It is very important as it will provide reproducibility. Meaning that if you test a scope at a point in time, you will be able in the future to compare the evolution of your security.
The most famous penetration testing methodologies are the following:
- OWASP: the Open Web Application Security Project is probably the most well-known testing framework. It is generally use as a first step for auditing web application.
- OSSTMM: the Open-Source Security Testing Methodology Manual is maintained by the Institute for Security and Open Methodologies. It has been around since 2000. This manual provide a scientific approach to technical security assessment to suite organization needs.
- NIST 800-115: this technical guide helps organization to plan and conduct cybersecurity testing. It covers vulnerability assessment, mitigation strategies or policy compliance. The publication enhances the accuracy and value of an existing internal security assessment.
- PCI-DSS PTG: the Payment Card Industry Data Security Standard Penetration Testing Guide is a supplemental guidance for test conducts on payment processing infrastructure.
- PTES: the Penetration Testing Execution Standards is a comprehensive methodology designed to enhanced the outcome of a pentest by modeling the threat actor. It emphasizes on OSINT reconnaissance and threat modeling to frame the penetration testing scope where it really matter for the organization.
There are other methodologies or guidance that can be used. The most important is to ensure that the service provider use an appropriate one for the scope.
Prioritize the pentest scope
There are many motivation that can lead to request an external security assessment. Obtain an industry certification, test a compliance, or simply burn budget. Ideally, we should select the scope and intended outcomes based on risk. Testing vulnerability on a perimeter is useless if that part of the infrastructure does not hold critical business risk.
Penetration testing is a sound combination with risk-based vulnerability management. By prioritizing vulnerability discovery, vulnerability analysis and vulnerability mitigation on a scope that is critical for the organization, it helps security professional to be more business-friendly. For a CISO, it demonstrates the ability to understand the organization’s environment and improve the value a cybersecurity matters among senior executives.