Tuesday, 14 August 2018

How to choose a pen testing company that will deliver you an amazing ROI

Selecting a pen testing company will be one of the most important business decisions you will make. This decision will decide just how well protected your users and your brand is going to be from a cybersecurity perspective. Asking these 6 questions will help you ensure that you choose a penetration testing company that is best suited to helping you secure applications and network infrastructure.

First, when should you involve a penetration testing company?

You're reading this because you know the software that you're building or maintaining needs to be assessed for security vulnerabilities.

If you're on this hunt for a pen test company because you want make security a key product differentiator in your space, then you're already ahead of the pack.

If you're looking for a penetration testing partner because one of your prospects/customers/users has demanded that you produce a report showing that your software has undergone penetration testing, then you have little time to make a decision. That's why it's imperative you make this decision based on objective criteria.

You could just land that big new enterprise customer by making sure you answer these 10 critical software cybersecurity questions in your response.

For most teams who don't have a regular security program, penetration testing or even vulnerability assessments, usually create some chaos. So belonging to the first category affords you the convenience of choosing when to "create chaos" for your team.

The question of timing your penetration tests has no absolute answer. People who tell you that you should get a penetration test once a year usually stick with that line because it's a decent (but no more) rule of thumb.

The application security landscape is changing rapidly. So checking your software for vulnerabilities once-a-year should be a bare minimum.

A more scientific approach is to work out how often your code base changes roughly 20%. A change to your code base is both addition of new code and modification of existing code. Accordingly, you should schedule a penetration test every time your code base change 20%.

The 20% number is also important for another reason: the amount of potentially exploitable vulnerabilities introduced to your application because of developers not applying the appropriate security patches increases exponentially as your code base grows:

Calculating the number of pen tests you actually need each year will also dictate when you need to onboard an internal AppSec expert. If your application's pace of change/growth requires you to conduct more than 4 penetration tests every year, then you may be better off hiring someone in-house.

If you can get by with less than 4 penetration tests annually, then make sure you ask these smart questions of your pen testing partner.

The 6 key questions to ask before selecting a penetration testing company

The answers to these 6 questions will ensure that your outsourced pen testing project delivers tremendous value and is not one of those disappointing IT outsourcing situations that we often hear about:
  1. Where do the responsibilities sit between you, the customer, and the external pen testing company?
  2. What type of results has the pen testing company delivered for their other customers?
  3. What results will I get from the pen testing project?
  4. How will our teams communicate with each other?
  5. What can you offer us that your competitors can not?
  6. When can you start? Can you work weekends or after hours?
Remember, as with any technical or business discussion it is never enough to simply rely on the first answer. In order to truly assess capability and alignment with your goals and values, you must delve deeper into every answer that a prospective pen testing company gives you.

For instance, if upskilling your development team to become a little more self-sufficient in conducting basic app security tasks themselves, then basic pen testing services will be of no use to you. You will need vulnerability assessment and penetration testing software that helps your developers maintain security in between your full manual penetration tests.

Advanced Step: assess your penetration testing company's commercial sense

Conducting pen tests on a web or mobile application and network infrastructure is like conducting an angiogram on a 60-year old man - you are bound to find something that is not right. However, your team probably doesn't have endless time to keep finding and resolving every security vulnerability under the sun.

That's why the best pen testing services providers employ ethical hackers who not only have great technical skill, but also possess sound commercial sense. This combination of attributes allows pen testing companies like ours to prioritise vulnerabilities by risk and help you objectively prioritise security vulnerability resolution.

This is not an easy characteristic to understand without working with a pen testing company on a real project. However, by talking through the examples of where a pen testing company has demonstrated such commercial sense will likely give you great insight into their capability to deliver you commercial value.

If you need a fixed-fee penetration testing quote with a customised pen testing plan that delivers you tremendous value, speak to us understand why working with Audacix for your pen testing needs will be a decision that delivers an amazing ROI for you, your brand and your users.
SaaS Brief