A Proven PenTest Methodology
Penetration tests, or pen tests, are a critical part of making sure your controls remain as strong as you think they are. Specifically, it is important that your PenTests are conducted by a skilled external firm. And this is true even if your organization has a competent internal security team – even in our case, with a competent and specialized internal security team to support our data security business.
An internal security team is critical to the continuous validation and maintenance of your security posture. However, in-house security teams are also notoriously susceptible to the same biases as your development team. For that reason, working with an external firm (or a few, like we do) allows you to get a fresh perspective to challenge those biases. An external firm can also provide very specific and deep skill sets that your smaller team may not always be able to provide.
Since we’ve had excellent results with our PenTest methodology – and our mission is to help secure the world’s data – I thought I’d share our methodology to maximize our pentesting success.
Finding vulnerabilities is the goal!#
Sometimes it’s hard to feel good about a weakness you have that someone else discovered – but you should. It shouldn’t make a difference whether the shortcoming was found internally or externally. The goal is to find your weaknesses and vulnerabilities before an attacker has the opportunity and motive to exploit them.
In fact, if a pen test does not conclude without finding at least some borderline security issues to consider, I would consider that a failure. Your pen testers should dive deep into your defined scope, and they should challenge your security decisions. If that's not happening, it is possibly due to a failure in one of the methods described below.
You get what you put into it#
You're paying a firm to work for you, so it's critical you put in the time and effort to make sure you get the best value. Start by evaluating where –and how – you want to focus your testing. Risk assessment is outside the scope of this article, but it's important to know up front what your goals are. You should use your goals to pick an assessment firm. Pick an organization that has a strong reputation for the type (and depth) of testing you're looking for.
Once you pick a firm, you need to explain your goals. It is critical that you articulate what you want as clearly as possible. Build your Statement of Work so that they understand your product, the kind of results you want, and the risks involved in the PenTest.
Before the engagement starts, try to clear as many barriers as possible. Whoever you’re working with will likely have some requests, but it’s good to be as proactive as possible and volunteer anything you think will help. Here are a few things to consider providing when setting up for the penetration test:
- API Documentation: Even if your API is externally exposed, but not expected to be used by the public, sharing any documentation you have can help researchers understand the system better and faster.
- Code Access: This may depend on your pen test goals, but if you think being able to reference the code would be helpful, then you should carefully consider it.
- Testing Accounts: Creating and providing accounts with established roles or configurations can help your pen testers to work faster.
- Communication Channels: Make sure you’re in sync on how you will communicate during the engagement. It is best if these channels are arranged and tested.
Once the engagement starts, make yourself highly available. Gather as many technical resources as you can for deep questions that may arise. It is YOUR responsibility to remove the obscurity from the system so that the pen testers can evaluate your true security posture. You may choose to do this through API documentation and code access, but it is even more important that you are available to answer questions and explain things that they may not have even considered.
You should check in with the penetration testers frequently, in part to evaluate their progress, but also simply to keep your established communication channels alive. For this reason, consider checking schedules ahead of engaging to be sure that the pen testers are going to be working during a time when your team will also be available.
Every issue raised during the pen test should be carefully considered. This is the perfect opportunity for you to reexamine prior assumptions. Even if something turns out to be a false alarm, your engineering and security teams often benefit simply by taking a closer look at the system in question, as well as by answering in detail the questions posed by the pen testers. Understanding critical security controls and how they function is always important to maintaining the integrity of your products.
If communication channels are well established, hopefully you will receive pen test results in real-time, as soon as they are discovered. Because pen test reports can entail a lot of time and effort, I like to start them immediately. Filing tickets to start tracking the issues is usually a first step. But there are many other important steps to consider.
Initially, you will focus on understanding the issues. Are there security controls which failed to work? Was some important step or aspect never even considered? In either case, pen test findings offer a great opportunity for your teams to learn. You must learn how to address not only this specific report, but also learn how to prevent similar issues in the future. You must use application design, development techniques, and other strategies to ensure that both the immediate issues and all categories of risk are covered.
For higher severity issues, you should follow your incident response process, and attempt to validate whether an unauthorized party has ever attempted to exploit the vulnerability.
As part of this overall learning process, it’s important to reproduce the issue discovered by the pen testers, internally and independently. This will help your engineering teams deepen their understanding of the issue. External remediation testing is a critical component of your information security strategy. It is typically best to start with internal validation of fixes, and only engage the pen testers for final mitigation testing when the entire report can be validated.
Penetration testing is a critical component to almost every security program. The tips above should allow you to get more value from this routine process.
VGS can reduce routine online pen testing and further secure your data and make compliance effortless. If you’re interested in learning more, let us know.