My blog last month around ‘Standardising Penetration Testing’ sparked a fair amount of feedback from our clients. Most of the queries followed a similar theme – when is the best time to engage with a testing company? Our answer (unsurprisingly) was, the earlier, the better. I thought I’d expand on that this month and explain the benefits of engaging with testing companies earlier than you may think is usual.
The vast majority of clients that we work with typically engage us for one of 4 reasons.
- A new project, or a system/network upgrade.
- Best practice (typically in the form of an annual healthcheck).
- A breach.
Whilst the middle 2 points are very important and the last will hopefully never happen to you, I’ll focus on the first point for now.
When do companies typically engage us?
Normally, the workflow for engaging a testing company looks something like this:
- Product ‘X’ identified as a new solution/upgrade needed
- Evaluation of product/upgrade (usually in test environment)
- Beta rollout to live environment
- Realisation that product ‘X’ will need testing to ensure it improves (or at least, doesn’t weaken) existing security.
At this point, organisations usually reach out to testing companies they may have previously partnered with, with a roll out date looming rapidly and the cost of conducting the test not having been factored into the budgeting for the installation/upgrade project.
What headaches does this approach cause?
This approach normally causes a problem as testing companies have a finite amount of resource and a constant battle to ensure the consultants diaries are booked in advance (at Mandalorian, we look to ensure our consultants diaries are booked 4-6 weeks in advance). So, when we are approached to test product ‘X’ ASAP (usually within 4 weeks), and if possible, at a reduced cost (as it wasn’t budgeted for), this can pose obvious challenges. Whilst we (and other testing companies) are as flexible as possible, usually the only way to meet the requirement is to offer a time-fixed assessment where rather than looking to test product ‘X’ completely and from every angle, we look to test within a fixed timeframe in order to find as much low hanging fruit as possible. Whilst this approach will usually catch any major issues that the installation or upgrade may have caused, it certainly isn’t the same as replicating a rogue attacker (with potentially limitless timeframes).
What benefit is there to engaging with testing companies earlier?
From a security perspective, looking to engage with a penetration testing company is about ensuring that Product ‘X’ improves (or doesn’t weaken) the existing security of your network. The only way to know this is to first test the network without the product installed. This then gives the testing company something to definitively conclude that the product has been installed correctly. Of course, if you get an annual healthcheck, this can be the ‘before’ report that you compare the product’s ‘after’ report to.
Engaging with a testing company early also means taking a more holistic view – looking at the end of the process, and working back from there, to ensure that you’ve covered everything. If you engage with a testing company early, it means that they’re aware of your timeframes and can look to confirm that the dates you need to meet can be booked into their diary. This means that the go live date of Product ‘X’ can be met. It also means that the testing company can confirm the cost of the test as early as possible – it’s much easier to ask Finance for sign-off to X+Y early doors, rather than ask them for sign off on X, and again for Y at a later date.
Finally, testing consultants really are on the front line of cyber attacks, and see the same basic errors made that expose vulnerabilities time and time again. Engaging with them early is a way of getting advice (with no cost as this would fall under pre-sales consultation) from the experts.
So to summarise, the benefits of engaging with a partner early are:
- Ensuring you can accurately compare the security of your network after an installation/upgrade compared to beforehand.
- Staying within your budget, with no hidden surprises or changes.
- Meeting your project timeframes by booking dates well in advance.
- Receiving the best advice regarding the most secure way to install/upgrade product ‘X’ from the people who know best how to breach it.
As always, if you’ve any questions, or would like to discuss this further with me, I can be contacted at firstname.lastname@example.org.