Become a security expert.
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
One of the typically required steps of going through a SOC audit or an ISO 27001 audit is getting a penetration test for your company. A penetration test (often referred to as a “pen test”) is a simulated attack by a third-party that helps find vulnerabilities in a company’s infrastructure, systems, and applications. A pen tester then provides a report with their findings which a company can use to fix outstanding issues.
Unfortunately, the world of pen testing is just as much of a black box as the compliance process. Below, we speak with Alex Lauerman, Founder & Principal Security Consultant at TrustFoundry, to answer some of the most common questions we hear from our customers about pen testing.
Alex Lauerman, TrustFoundry: If you’re required to do a penetration test as part of a compliance framework like SOC 2, it’s always best to work with your auditor to figure out the scope and make sure your approach is acceptable.
Generally, the requirement from SOC 2 or ISO 27001 will be something like “annual penetration testing” which leaves room for interpretation. The safest option is to work with your auditor to figure out what your pen test should cover.
A penetration testing company like TrustFoundry can provide some guidance based on previous experience, but given your auditor has the final say on what is acceptable, it’s important to get their buy-in at the end.
Alex Lauerman, TrustFoundry: Penetration testing typically occurs annually because an annual test is often the requirement of the compliance framework, and also a reasonable internal requirement.
Companies can do it less frequently if it’s not needed or required annually. They can also do it more frequently if there are significant changes or feature updates, and a company feels it’s worthwhile to look for potential vulnerabilities.
Continuous testing is growing in popularity which can be implemented in different forms with the overall goal of testing new functionality as it is introduced in an effort to keep up with fast paced development teams.
Alex Lauerman, TrustFoundry: Penetration testing can cost anywhere from $1,000 or less for an extremely narrow scope, and up to $100,000 or more for a very large assessment. The biggest and most expensive assessments often contain multiple components, such as network penetration testing, application penetration testing, and mobile penetration testing.
A majority of pen tests are generally in the $5,000 to $20,000 range, with the average being around $8,000 to $10,000. If this is your company’s first penetration test, your scope is likely to be small and be below average in terms of cost.
It’s important to note that pricing is generally associated with the level of effort required by a pen tester, although rates can vary from company to company. If you have questions about how pricing is structured or what will be included in the pen test, you should ask your pen tester.
Alex Lauerman, TrustFoundry: It’s not easy to differentiate between different pen test providers, even though their ability to deliver can vastly differ. You want to make sure you know what the offering is, the level of effort, and the quality you’ll be receiving while also balancing cost, timeline, and other decision factors you have.
Below are some of my tips on how to go about picking a pen tester.
When possible, get referrals from people you trust. Ideally, it’s someone who has quite a bit of experience or knowledge of penetration testing
Penetration testing should leverage automation where possible, but the core effort in a penetration test is manual analysis. Completely automated analysis can only find 10-20% of vulnerabilities in most cases.
If someone is just running a scan, this does not constitute a penetration test and will be not effective in identifying all potential vulnerabilities. Remember, a penetration test is trying to identify what a real attacker may exploit. You should discuss with your provider where automation will be used and how much manual analysis will be performed.
A red flag would be seeing output in your report that comes directly from a tool. This is usually easy to spot because these tools have poor text, but if you google specific sentences or finding titles, they will usually be found verbatim on the internet if they are built into a tool.
There is a correlation between report quality and penetration testing quality. Don’t focus on the quality of the findings on a sample report as companies can cherry-pick vulnerabilities. Instead, look at the format of the report itself and see if it’s visually appealing and laid out in a format that is easy to understand. That should help provide an indication of the quality of the pen tester.
Reports can sometimes be too long and have too much unnecessary data. Look for a clear and succinct writeup for each finding, complete with screenshots and relevant data. If something is easier to understand, that's usually the mark of a skilled pen tester. A good pen tester will write their own report with the end in mind: The client taking these results and forming actionable items for remediation.
Formatting done well can be a joy to work with. Check that the sample report has a table of contents and is indexable from the sidebar. This makes jumping back and forth through various findings simple and easy. Your engineers will thank you.
The pen testing industry is constantly evolving, so you want to look for a company where the consultants are fully dedicated to penetration testing instead of splitting their time up between a variety of security-related tasks. You can also ask who is likely to be performing the work and their bios. From there, you can see if these consultants have well-respected certifications such as ones from Offensive Security or are otherwise involved in the penetration testing industry through blogging or conference talks.
If you’re a larger company with a lengthy procurement process, a larger penetration organization that has more offerings may be a good fit. If you're a small to mid-sized company and want a pen tester who is more agile, excited to win your business and provide a great experience, you might want to select a smaller company.
Avoid companies that haven’t been in the space too long or haven’t been growing, as that’s often an indication of their quality.
One helpful way to evaluate a company is through their blog. Companies that deliver quality penetration tests will usually have quality content and information about their customer’s challenges or security research.
If after going through all these steps, you’re still unsure, get multiple bids from companies. During these discussions, you’ll learn more about what people are offering and why, and which company feels like the best fit for your needs, budget, and timeline.
If you’re interested in getting SOC 2 compliant and getting connected to one of Secureframe’s preferred pen testers such as TrustFoundry, schedule a free demo today!