The Cyber Security market has grown exponentially in the past decade and will continue to grow to meet the ever-increasing demand. Every organization is currently attempting to improve their security posture. To achieve that there are multiple steps that are being taken
- Introducing security to their supply chain
- Prioritizing security in the Software Development Lifecycle
- Performing training to increase awareness and capability building
All these steps are taken in the right direction towards improving the security posture, yet the attacks do not tend to stop.
Let’s get one thing straight, no penetration testing vendor can ensure 100% security, there will always be something, but continuous evaluation of the organizational security posture helps in keeping things in perspective.
To keep things in perspective, organizations select external partners or vendors to perform their security assessments. This is not always because of a lack of trust or capability within the internal security team, but due to the following factors
- Third-party Assessment of Security Controls Implemented
- Identifying and Assessing the Attack Surface of the Organization
- Compliance
- Building Internal Capabilities
- Improving Overall Security Posture
In this blog post, we will look at one of the above-mentioned factors – “Third-party Assessment of Security Controls Implemented” and will cover others in subsequent blogs.
There are a few things that we think are critical when choosing an external partner for assessing the currently implemented security controls, let’s cruise through them one by one:
1. Well Defined Plan-Of-Action
From the initial scoping till the close-out of the assessment, there are multiple steps that are being performed. The vendor that provides the most clarity on the plan of action will be the easiest to work with.
Setting up milestones, defining ROIs, documenting each step and process defined for keeping the customer in the loop about what’s going on during the assessment, etc. are a few things that should be considered in a well-defined plan of action.
2. Methodology – Automated and Manual Pentest
Automation has come a long way and there are different tools in the market that promise a vulnerability assessment that provides full coverage of the environment, but nothing beats the good old manual penetration testing.
While choosing a vendor, the customer must try and understand if the methodology contains only automation (tools like Nessus, BurpSuite, NetSparker, etc.) or will it be complimented by manual testing which will cover test cases related to logical issues like Broken Access Control, Business Logic, etc.
3. Skills Weigh More Than Certification
The security industry has yet to agree on a universal certification system for proficiency confirmation. As a result, when choosing vendors, emphasis should not be placed on specific certifications; otherwise, we may miss out on a lot of excellent security professionals. Skills should be given greater weightage than certifications.
Instead ask for their profiles to be shared and check for things that further demonstrate skills and passion such as any activity in conferences (Black Hat, DEF CON, nullcon, etc.), verified CVEs (Common Vulnerabilities and Exposures), publications in reputable media resources, contributions to tools, etc.
4. Communication & Collaboration
While assessing a vendor, ask for their plan regarding communication and collaboration. Choose vendors who employ skilled professionals who collaborate with their customers and keep them up to date on every step of the assessment process. Keeping the customer updated about the status of the assessment and being flexible with the deliverables is extremely critical. Communicate transparently with the stakeholders if there are any blockers or issues.
Excellent communication (verbal and written) & collaboration skills will help in ensuring the objective of the security assessment is achieved.
5. Clarity On Next Steps
Reporting is one of the most crucial parts of any security assessment. It allows the customers to understand the security posture and what steps should be taken to improve.
A good report will provide clarity on the discovered issues, the impact and how they can be used by adversaries, remediation steps with priority advise, and suggestions on how to improve the overall security posture of the organization. Reassessment should also be performed after the remediations have been implemented.
Add-On: Passion
Passionate individuals enjoy the work they do, and they work towards delivering the best possible result. Although not the only factor, passion, interest, and mindset of looking out for the customer do contribute to excellent outcomes from the security assessment.
These are a few things that we think a customer should consider while choosing a penetration testing vendor.
Choose Wisely!
About Payatu
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s services and get started with the most effective cybersecurity assessments.
