Quidem Inventore Deleniti
We live in the age of automated hacking systems, frequent data breaches and consumer protection regulations such as GDPR and PCI DSS, penetration testing has become an essential security requirement for businesses of all sizes, rather than just the banks and governments of yesteryear. What that means is lots of companies out there find themselves needing to choose a pentest supplier for the first time, and it’s not easy.
Faced with the task of getting a penetration test done, the sheer number of providers can be daunting, and finding one which can deliver a high quality test at a reasonable price is not easy. How do you know if they’re any good? Can you tell what level of security expertise was delivered by reading the report? Was your application secure, or did the tester simply not find the serious weaknesses?
There’s no easy answers to these questions, but the good news is that you can help yourself out by asking the right questions up front. The most important considerations fall into three categories: certifications, experience, and as always - price.
Certifications are the first thing a new buyer should look for, as they can provide a convenient shortcut for building trust with a vendor.
Worldwide there’s no shortage of professional certifications available, but in the UK the most well-recognised certification body is CREST (Council of Registered Ethical Security Testers). CREST was set up by the UK’s leading pen testing consultancies precisely to solve this buyer’s problem, and it is now an internationally recognised hallmark of quality for a variety of cyber security disciplines.
You still need to know what to look for though, as CREST have both a company-level certification, as well as individual certifications where each tester must pass an exam to prove their skills. Having one does not mean you have the other.
The company-wide accreditation (‘CREST member company’) is given to companies that can prove their policies, processes and procedures are up to scratch. This allows penetration testing companies to show that they follow good practices on paper, and use appropriate security testing methodologies. However, asking a ‘CREST member company’ to carry out a pen-test does not guarantee that the consultant performing your test is certified themselves to an appropriate standard - merely that the company is morally obliged to provide you with a suitable tester:
When checking the credentials of a penetration testing company, make sure to ask about the actual tester that will carry out the work — do they have appropriate certifications and experience for the job at hand?
This is a key point to take away, the credentials and experience of the person who will carry out the work are equally important to those of the organisation they work for!
For that reason, CREST also have a range of levels even for the individual testers, from entry-level certificates to complex practical examinations in different specialist areas. It’s important to look at both the level of certifications, and whether they’re specific to the type of penetration testing you are looking for. We’ve outlined the available CREST certifications for penetration testing below:
While certifications are useful, they can’t cover everything. There are many types of technology out there, and you can’t have an exam to cover every single one. As you can see from the diagram above, there is no CREST exam for AWS, or for embedded devices, or mobile applications. Being a penetration tester is sometimes like being a GP, you have a very good set of knowledge and skills, but there isn’t always a textbook for the patient you’re dealing with. That’s when experience can come into play.
Besides a penetration tester’s certifications, another big factor in a pentest’s quality is the breadth of experience your pen tester has under their belt. The more exposure that a tester has had, the more likely they are to be proficient at discovering a wide range of security threats.
It’s also important to note that not all experience is equal, since some types of testing can involve specific skills in particular technologies, like AWS Cognito, or the Real Time Messaging Protocol. As far as possible, make sure your potential provider has relevant experience in the types of technology you’re working with.
Remember though, there may not always be a tester with experience in every technology out there, so you may need to be flexible. A good penetration tester will be able to learn about the technology you need testing, based on skills and principles from other disciplines, but it might take them slightly longer to become familiar with the technology at hand. This could have a knock-on effect on the price…
People often ask what a normal cost for a penetration test is. Unfortunately, due to the variety in size and complexity of IT systems, this is like asking how long is a piece of string. It depends what you are working with, and how much depth you need to go to. If you imagine it like painting a bridge, it depends how big your bridge is, and how many coats of paint you want, just a thin covering might leave you exposed to the elements.
Because of this, pen tests are usually quoted on a ‘day-rate’ basis, and very broadly, you can expect to pay anything in the range of £800-£1250.
Day rates vary from vendor to vendor based on things like reputation, certifications, and special requirements for the tester’s experience, although discounts can be negotiated if you’re buying lots of days (anything more than fifteen days would be considered a large test).
To understand how long your job will take, the vendor will often need to get a demo of your product, or gather information about your environment. As a rule of thumb, the less questions they ask at this stage, the less likely you are to get an accurately quoted piece of work. There’s also no standard when it comes to scoping a piece of work, so you might find estimates differ. One organisation may scope a job as 3 days work, and another as 5, depending on their viewpoint. These are their best estimates, it’s hard to tell for sure until you’re doing the work exactly how long it will take.
You can even buy “fixed-fee” penetration tests, but going back to the bridge analogy, you should probably be worried about coverage if they’re offering it for a fixed fee without asking how big the bridge is.
As with anything in life, the price you are quoted should reflect the quality that your penetration test will be delivered at - but in an industry where the quality of a test is hard to judge, there are bound to be some rogue traders out there. Take care to ask the right questions and don’t skip the due diligence process before deciding on a provider.
Hopefully that explains a few of the most important factors to consider when choosing a penetration testing company to use. We hope the information we’ve provided in this article has been helpful, and please do get in touch if you have any questions around the topics in the article or otherwise.