What features should I look in vulnerability testing services?

Question

Given the bad press in data breaches, my company is looking at pen testing options. We went through pen test guide but what else can you suggest so we don't get hacked?

Answer 1

Yes, even though the PTES (mentioned by Soufiane's answer) is wildly out-of date, it is somehow still one of the best standards on reference.

Here is a technical guide using Metasploit according to the PTES.

What would be extra-ordinary is if a client can watch the progress of the testing, either with live access to something like LAIR-framework -- or as a videocast. My favorite vulnerability-management consolidation-and collaboration portal is LAIR-framework, but I also enjoy Dradis Pro. A further list might contain: Cisco Kvasir, Serpico, CheckSec Canopy, Faraday, etc. A few are included in Kali Linux -- MagicTree, KeepNote, sparta, and Dracnmap. Some people put vulnerability data into Splunk or ElasticSearch (vFeed recommends this). A very-expensive but full-featured solution is Core Vulnerability Insight from Core Security. Salesforce provides VulnReport.io. Even Shodan offers a geographical (world-map view) of consolidated vulnerability data -- https://scanhub.shodan.io

If you are looking for information about what you should expect before the testing, check out this resource from SANS -- https://isc.sans.edu/diary/21665

If you want to know what reports that are the output of a pen test look like, check out -- https://github.com/juliocesarfort/public-pentesting-reports

Answer 2

The first thing to do is ensure that the development team understand how to code using secure development principles and best practices. There are lots of great resources online that can be leveraged to help support and train your team. For example OWASP online academy.

Integrating security testing should be integrated into the development lifecycle. There are tools that will allow you to automatically scan your app, although automatic scanning won’t catch everything, it will assist in catching the low hanging fruit. For example it may have prevented the TalkTalk hack which was the result of SQL injection.

There are number of tools that you can use for this, including cloud based subscription services that will scan your app from the internet, the pro version of the Burp proxy and the free and open source OWASP ZAP proxy. This is a guide on how to configure ZAP with Jenkins.

Using this method security holes can be discovered and fixed as a standard part of the devolvement process, in theory this should mean a harder final product carrying less risk.

This should be used as an addition to 3rd party penetration testing, which should be done by a reputable 3rd party, known for conducting thorough in scope tests. Third party testers will bring a new set of eyes to the project, dedicated security expertise and avoids the problems inherent in ‘marking your own homework’.

In my experience if the automatic scanners have caught the low hanging fruit, the penetration testers need to work that little bit harder to find some “good” stuff to report on. They should also be able to produce reports that can be used to report issues in clear manner.

This last point is critical, any issues that are discovered should have a process around them to ensure they are fixed within a reasonable timeframe, there is no point in simply knowing about vulnerabilities if you have no plan in place to fix them, which Equifax (and all its customers data subjects) found out to its cost last year.