Getting ready for a pentest might seem overwhelming, no matter if it’s your first or your fourth.
But because cyber threats are ever-evolving and ever-dangerous, a proper annual penetration test should not be skipped.
To get organized with your upcoming pentest, it’s important to ask yourself a few core questions before conducting the assessment. Get started with these five:
1. Do You Need a Pentest, or Do You Need a Security Vulnerability Assessment?
Think of a vulnerability test like a burglar scouting the outside of a house, doing a quick search for windows or doors that were open to enter. In comparison, a pentest would search for all the possible ways of getting in, like finding the house key under the doormat or maybe a window that isn't open but is unlocked.
A security vulnerability assessment is usually a non-intrusive process that can typically be carried out without downtime or changing any settings within the application or systems. The assessment can also be done within a relatively short time frame and with fewer people involved.
A pentest, in contrast, is a much more in-depth engagement with a larger group doing everything they can to find vulnerabilities. It involves finding evidence of all issues, creating new accounts, and elevating privileges within systems and applications. Compare pentesting vs. vulnerability assessments more deeply here.
2. What’s The Budget?
It's essential to determine if you have the proper budget before deciding between a vulnerability assessment and pentest. A quick assessment of an application may not be that costly — typically running a minimum of $25K — whereas a full-scale pentest can rise above the $100K mark based on the type of penetration test, time, and effort involved.
It’s important to understand that every penetration test is billed uniquely and will vary in cost based on its scope, size, and complexity. For example, a web application penetration test for a small start-up company may only run around $25,000. In comparison, a web application penetration test for a large company with two extensive web applications could be closer to a $140,000 price tag. Determine the true cost of a penetration test here to see if it’s a realistic investment for your business.
3. Do You Have the Time to Prepare?
Knowing how much time you have before an assessment is completed can be extremely important. In addition, it is essential to know if you need the assessment to pass a compliance audit or launch a project, which can shrink your timeline to find the right pentester, run the test, and immediately address the highest-priority remediation recommendations to reach compliance.
Since an assessment only checks for known issues, it can take as little as a day to complete or at most a couple of weeks, whereas a full pentest could last up to six weeks to finish discovery and then find all the vulnerabilities. Let’s not then forget about the time you’ll need to review the results and create your plan for remediation.
4. Will You Be Able to Communicate with the Pentesters Mid-test?
Because penetration tests are actual attacks against your systems, it is impossible to guarantee uptime or availability of services throughout the test. However, most testers know in advance when a specific attack will bring down your system or "hang" a service and discuss this in the scoping conversation.
Having clear lines of communication with the pentesters can ensure that you are setting yourself up for success. In addition, the right pentesters should constantly debrief the client with regular updates throughout the process (not just when something goes wrong). If a pentester refuses to communicate with you during the engagement, you run the risk of unknown disruptions that may affect your customers.
5. What Happens After the Pentest?
Most companies will provide information on issues that were found during the testing. However, not all pentesters provide the same quality of pentesting report. Here at Mitnick Security, for example, we provide an in-depth report of our discoveries, which is considered by many to be the golden standard of pentesting reports for its precise detail and explanations of attacks. We also assist in prioritizing what should be fixed immediately and what steps to complete to avoid issues in the future, which not all pentesters provide. Curious to see the anatomy of a pentesting report? Check out this infographic.
After reviewing your pentesting results internally, you can meet with your pentesters to discuss a plan for addressing your high, medium, and low-priority security vulnerabilities. From there, is it up to your organization to make the remediation or to work with a security team to do so.
See How Your Security Stacks Up
Before looking for penetration testers or researching pentesting services, it’s important to have a general idea of your organization’s security posture. However, when asked how they’d rate their security readiness, many organizations aren’t quite sure how to answer.
How ready are you for a cyber attack? Download our 5-1/2 Easy Steps to Avoid Cyber Threats today to see if you are following these best practices. You may even be inspired to make a few remediations of your own before conducting a pentest.