Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
A guide for those looking to schedule their first pentest AND get the most return on investment for the money from time spent on it.
Penetration tests (aka pentests) can be expensive! Depending on the complexity of your site or network, they may range from $25 or, sometimes, all the way up to $100k! This is a guide for those looking to schedule their first pentest AND get the most return on investment spent on an exercise like this. This is based on experience from being on both sides of the fence!
As with any 3rd party service, you want to get multiple proposals for the project. This is the “dating” phase of engaging with a third party company. Throughout this process, many items will come to fruition for consideration:
As with anything, there is no perfect vendor unicorn. They all have their faults and promises. However, getting multiple proposals will allow you to see the best from every company and possibly incorporate this into the final vendor you pick.
However, with any vendor, you’re often dealing with the sales team and the technical people. But the technical people you are speaking to during that process might not be the same people who will be doing the actual penetration testing. Likewise, you may see lots of published whitepapers and talks from the company, but you probably will not be getting those folks assigned to you if the company is large.
One of the MOST neglected areas when scoping any engagement with any company is knowing who will actually be working on your project. A company may have the best reputation in the world, but much of this is on the backs of senior researchers and consultants. As with any economy of scale, not everyone can be the best all the time. This is especially the case with larger companies. Many small boutique firms can confidently say that everyone they employ is a rockstar, but that gets hard to be the case as the company grows. When first engaging a company, be sure to ask that senior resources are assigned to you. Then, when they schedule, here are some questions you can ask about each consultant:
Using some basic OSINT from some of the starting points above, you should be able to discern whether this person is an intern (doesn’t mean they’re not good) or a senior person that has been with the company for many years.
Here are some other questions to consider:
Note: A junior at a penetration test firm is anyone who has spent less than a year at the company or has had about that much time total pentesting experience. Penetration testing consultants are exposed to a lot of environments in a short time frame, so they can become “senior” quickly.
Experience is important for several reasons. Even if an individual is experienced for several years, they may not be particularly experienced at penetration testing itself. When you hire a consultant, besides technical skills, other soft skills come into play.
There is a lot of work involved needed from the client side as well to make a pentest successful.
Here is a checklist of items that will make the project a success:
If there is a choice between a development environment that is not quite the same vs. a staging environment closer to prod, my personal opinion is to go with the staging environment. Even if changes are being done in staging, just let them know and keep them in the loop on the exact changes being made. Remember: attackers are knocking on your production environment anyway, so use an environment close to production to get the most value from your engagement.
This needs no explanation: the more documentation, the better. Documentation is GOLD to every security engineer, architect, auditor, or tester out there. We love documentation. The fewer questions we have to ask, the more we can focus our time on testing and reviewing your environment and providing solutions.
One of the worst things you can do is make the vendor burn valuable hours waiting for your IT to provide equipment or accounts. Make this a priority. If the pentest starts on Monday, accounts should be provisioned and provided to the firm the week before. Things can go wrong. Credentials may be incorrect or may not have been received. IT may be super swamped that week. You want to allow time for all the onboarding kinks to iron out.
Here are some credentials you may want to provide:
Chat is where it’s at. If you use chat daily with your co-workers, it makes sense to provide chat access for them. After all, these people are going through your source code and hammering away at your environment. Time is money in a penetration test, so giving them instant access to you and your team will save you and them a lot of time when questions come up. Of course, create a single-channel slack to limit their access and invite your team leads to it as necessary.
A penetration test is intense, and depending on the level of security maturity in your environment, a lot of issues may arise. Be ready and have your team prepared to triage any bugs discovered or answer questions for the pentesters. It might be the case that you have awesome security and it will be just business as usual for your team. However, it’s better to be safe than sorry.
Many companies think getting a pentest is like scheduling a dental appointment: you just show up and it’s done. As you can see, it’s not that simple. For all the money and the expectations with a pentest, it pays to be prepared, especially if it’s your first. A good pentest company will have a complete onboarding checklist and make all of the above as painless as possible. However, that’s not always the case, and humans run even the best companies… so your mileage may vary.
I hope this guide has been helpful to you. While I do not conduct penetration tests myself, I do help coordinate, scope, and manage pentest s a vCISO. I also provide Enterprise Security Gap Assessments as a precursor to a pentest.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).