Friday, August 26, 2022

How to choose a pen testing company that will deliver you an amazing ROI

Selecting a pen testing services company will be one of the most important business decisions you will make. This decision will decide just how well protected your users and your brand is going to be from a cybersecurity perspective. Asking these 6 questions will help you ensure that you choose a penetration testing company that is best suited to helping you secure applications and network infrastructure.

First, when should you involve a penetration testing company?

You're reading this because you know the software that you're building or maintaining needs to be assessed for security vulnerabilities.

If you're on this hunt for a pen test company because you want make security a key product differentiator in your space, then you're already ahead of the pack.

If you're looking for a penetration testing partner because one of your prospects/customers/users has demanded that you produce a report showing that your software has undergone penetration testing, then you have little time to make a decision. That's why it's imperative you make this decision based on objective criteria.

You could just land that big new enterprise customer by making sure you answer these 10 critical software cybersecurity questions in your response.

For most teams who don't have a regular security program, penetration testing or even vulnerability assessments, usually create some chaos. So belonging to the first category affords you the convenience of choosing when to "create chaos" for your team.

The question of timing your penetration tests has no absolute answer. People who tell you that you should get a penetration test once a year usually stick with that line because it's a common (but not necessarily correct) rule of thumb.

Want to see how you can prove to your customers that you have 7-star application security?

The application security landscape is changing rapidly. So checking your software for vulnerabilities once-a-year should be a bare minimum. Depending on your industry, you may need to switch to quarterly web application penetration testing services and back it up with daily vulnerability scans with a top notch automated security testing tool.

A more scientific approach is to work out how often your code base changes roughly 20%. A change to your code base is both addition of new code and modification of existing code. Accordingly, you should schedule a penetration test every time your code base change 20%.

The 20% number is also important for another reason: the amount of potentially exploitable vulnerabilities introduced to your application because of developers not applying the appropriate security patches increases exponentially as your code base grows:

How to choose a pen testing company

Calculating the number of pen tests you actually need each year will also dictate when you need to onboard an internal AppSec expert. If your application's pace of change/growth requires you to conduct more than 4 penetration tests every year, then you may be better off hiring someone in-house.

If you can get by with less than 4 penetration tests annually, then make sure you ask these smart questions of your pen testing partner.

The 6 key questions to ask before selecting a penetration testing company

The answers to these 6 questions will ensure that your outsourced pen testing project delivers tremendous value and is not one of those disappointing IT outsourcing situations that we often hear about:
  1. Where do the responsibilities sit between you, the customer, and the external pen testing company?
  2. What type of results has the pen testing company delivered for their other customers?
  3. What results will I get from the pen testing project?
  4. How will our teams communicate with each other?
  5. What can you offer us that your competitors can not?
  6. When can you start? Can you work weekends or after hours?

Remember, as with any technical or business discussion it is never enough to simply rely on the first answer. In order to truly assess capability and alignment with your goals and values, you must delve deeper into every answer that a prospective pen testing services company gives you.

For instance, if upskilling your development team to become a little more self-sufficient in conducting basic app security tasks themselves, then basic pen testing services will be of no use to you. You will need vulnerability assessment and penetration testing tool that helps your developers maintain security in between your full manual penetration tests.

Advanced Step: assess your penetration testing company's commercial sense

Conducting pen tests on a web or mobile application and network infrastructure is like conducting an angiogram on a 60-year old man - you are bound to find something that is not right. However, your team probably doesn't have endless time to keep finding and resolving every security vulnerability under the sun.

That's why the best pen testing services providers employ ethical hackers who not only have great technical skill, but also possess sound commercial sense. This combination of attributes allows pen testing companies like ours to prioritise vulnerabilities by risk and help you objectively prioritise security vulnerability resolution.

This is not an easy characteristic to understand without working with a pen testing company on a real project. However, by talking through the examples of where a pen testing company has demonstrated such commercial sense will likely give you great insight into their capability to deliver you commercial value.

Do you want to start with a vulnerability assessment report that you can get within 48 hours?

What pentesting services do you need if you have many apps or need constant application security?

If you fit into this boat then you're not looking for one-off, ad-hoc pentesting services, because such practices will lead to vulnerabilities being missed and emotions getting out of control due to the fallout. What you need to build a culture of security in your software dev team.

This is not an easy process, nor does it happen overnight. To accomplish this you need to put in place the right people, processes and products (tools) to help your development team conduct security-related activities as part of their normal SDLC workflow. To use a buzzword, you're looking to "shift left".

Almost always, successfully undertaking this type of transformation will require a top-down approach from you or a member of a senior management team. There is a pattern and rules to help your software development team successfully embark on a journey of continuous improvement.

Back to the topic of pentesting for you, a more suitable model for your needs is likely to be the pentesting-as-a-service (PTaas) solution.

Unlike traditional penetration testing services that give you a one-off security test and then leave you to your own devices to taken on the might of hackers by yourself, our penetration test-as-a-service solution gives you the best self-service web app vulnerability scanning tool that you can run daily + in-depth manual penetration tests multiple times per year + a dedicated and on-demand channel to help your dev team communicate with application security experts.

Think of PTaaS as a turnkey software security program that will help you understand and manage your security posture on a daily basis, rather than just a few times a year.

If you need a fixed-fee penetration testing quote with a customised pen testing plan that delivers you tremendous value, book your discovery call to understand why working with Audacix for your pentesting needs will be a decision that delivers an amazing ROI for you, your brand and your users.

SaaS Brief