Six simple techniques to improve the value of penetration testing and save tens of thousands of yuan

Regular penetration testing or penetration testing is done by using the same tools as the attacker 、 Technology and procedures to simulate network attacks to understand an important part of the organization's security situation . The results of penetration testing can help you identify risks and gaps in security control . By identifying and fixing problems before attackers find them , It can ensure the application and infrastructure ! Continuous security and protection of structures . Unfortunately , Because the scope is not clearly defined 、 The goal is not clearly defined and the test is unrealistic , Many penetration tests fail to achieve the expected results . How to get the maximum value from the funds invested in penetration testing ？

1： Choose penetration test suppliers wisely

Choose a reasonable price 、 Skilled 、 Have a good track record and high quality 、 Penetration testing suppliers with deliverables will help ensure high-quality results , And set aside some budget for further testing or further testing .

When selecting a penetration test supplier , There are three main considerations ： Price 、 Skill / Experience and reporting quality .

Price

This is the least important consideration . Most penetration tests have very similar participation rates , Have cheap 、 High end and platinum versions .

Besides , Look for suppliers who bundle the retest of the discovered vulnerabilities into the price . If not included , It may increase the initial test cost 10% to 20%, It depends on the supplier and the type of test .

Skill

Skills and experience are the next most important criteria . Looking to have CREST or OSCP Certified tester team company . Besides , Please ask the tester who performed the test BIOS, And find through CVE Number the vulnerabilities found or participation can be attributed to the vulnerability reward program of the penetration test supplier or penetration tester .

The report

When selecting a penetration test supplier , The quality of the report is the most important criterion , As long as they have enough skilled testers . This is the report your organization will leave when testers continue to participate next time .

Penetration testing is expensive , Provided in the penetration test report " Suggest " Usually worthless and alarmist . That's true. ; I have written quite a few penetration test reports in the past . Such as " Implement best practices " Terms like this do not help drive the changes needed to improve the organization's security posture .

Find practical correction suggestions （ Include configuration and code snippets ） The report of . The most important thing is to check the sample report , Understand alarmist findings , For example, it is marked as " High risk " Of cookie sign . Reports with alarmist results will not help you promote remedial measures in your organization .

Besides , Look for suppliers who can further provide reports by integrating with your system , To put forward tickets for the problems they found , Or the supplier that provides hacker attack video , This can show how attackers can simply take advantage of technical security issues .

2： Perform white box tests to save time and money

In the white box test , You can provide penetration testers with detailed information about the target environment , Include domain / Subdomain , Host name ,IP Address , Network diagram , Accounts with different permission levels ,Swagger / OpenAPI Definition , Even access to source code . Significantly reduce or eliminate information collection through white box testing 、 Reconnaissance and discovery stage , It can significantly reduce time and cost .

The white box test follows " Hypothetical violation " State of mind , Provide access for penetration testers , Allow them to execute test cases , For example, permission promotion , Lateral movement and identification of sensitive systems or data .

3： Perform a black box test to find the actual perimeter

In the black box test , You can provide the penetration tester with the minimum information about the target , for example , domain name 、IP Or host name 、IP subnet , Or provide the company name as little as possible . This type of test is suitable for simulating targeted attacks , For example, advanced persistent threats or APT.

The black box test also finds shadows IT Good way . Do you know all registered domain names ？ Your IP How about the address space ？ Do you know which cloud platforms your organization is using ？ Do you know where all the systems used by your organization are ？

You may confidently say " yes ", But you may be surprised by the results of the black box test ： Open a domain you don't know 、 Cloud usage 、SaaS And shadow IT. please remember , You can't protect what you don't know .

Find the best return for your money

Correctly defining the scope of penetration testing is the key to extract the maximum value from the investment of penetration testing .

4： Don't use a penetration test program as an expensive vulnerability scanner

If your organization does not have the latest patch , Why use penetration testers as expensive human vulnerability scanners ？ Why use penetration testers to tell you what your vulnerability management program can tell you ？

for example , If you let a decent penetration tester access most internal networks that are not updated with critical patches , Then they should have in one day Windows Domain administrator .

The infrastructure penetration test on the internal network that does not use the latest patch will generate a thick penetration test report , It is almost guaranteed to use . It should be ensured that penetration tests are carried out in a targeted manner , As shown in the following tips .

5： Select user-defined test cases to identify company specific vulnerabilities

Most penetration testing organizations will define standard test cases in their job descriptions , Usually OWASP front 10 name . Although these are important test cases , But as a security professional in your business , You will have doubts about the system being tested , Doubts or known risks . You can turn these into test cases , And provide it to the penetration test supplier when determining the test scope .

In typical company specific test cases , I will require that permission escalation be included in the application . For financial applications , I will request a series of negative or fraud based test cases , For example, the negative amount in the payment .

Besides , Don't forget to include previous violations 、 Test cases derived from vulnerabilities found in Threat Intelligence or penetration testing .

6： Select goal based tests to target specific test cases

Goal based testing sets a clear goal for testers - That's not surprising . The goal is to execute against specific test cases or threats . Penetration testers can access CEO Your laptop ？ Can they visit SAP Payroll ？

Goal based testing helps verify or negate internal assumptions about the control effectiveness or risk likelihood of the selected goal .

The original is translated from databreachtoday, author Charles Gillman, Super technology translation , Please indicate the source and original text of the reprint of the cooperation site. The translator is super technology ！