• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • About
    • Secure360
    • UMSA
    • Get Involved
  • Events
    • Secure360 2021
    • Student360
    • Past Events
      • 2020 Secure360 Twin Cities
      • 2020 Student360
      • 2019 Secure360 Twin Cities
      • 2019 Student360
      • 2018 Secure360 Twin Cities
      • 2018 Secure360 Wisconsin
      • 2018 Student360
      • 2017 Secure360 Twin Cities
      • 2017 Student360
      • 2016 TC Secure360 Conference
      • 2015 Secure360 Conference
      • 2014 Secure360 Conference
      • 2013 Secure360 Conference
        • 2013 Secure360 Conference Speaker Presentations
      • 2012 Secure360 Conference
  • For Sponsors
    • Secure360 Twin Cities
    • Student360 Sponsors
  • For Speakers
    • Secure360 Speaker Details
    • Student360 Speaker Details
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

5 tips for getting the most bang for your pen test buck

March 20, 2015 by Ed Skoudis

penetration testing

Copyright: / 123RF Stock Photo

Paying someone to hack your own organization may sound preposterous at first. But, done properly, so-called penetration testing can help your organization improve its security. Due to compliance requirements, regulatory mandates, or a business need to better manage risk, an increasing number of organizations are turning to penetration testers with a goal of improving security. But not all penetration tests are created equal.

To really shine in business value, here are 5 items you can ask your pen testers to provide in their report.

1. Action items that help you better manage risk

Pretty much every penetration test report includes specific recommendations for addressing each discovered vulnerability. That’s all good and useful, but ask your penetration testers to group various findings together so you can manage risk more systematically. Instead of playing whack-a-mole with individual findings, have the penetration testers discuss how groupings of findings might be related and can be addressed through process and procedure alterations on top of individual technical fixes. That is, most technical vulnerabilities are actually the result of a process problem. Fixing the individual tech issue is just a band-aid and will recur if you don’t get to the root cause of the problem.

2. Comparison to similar organizations

Ask your penetration testers to report on how your organization compares to other similar organizations. Is your security better than, worse than, or about the same as your near peers? Discuss with them their experience in testing organizations in your industry, groups similar in size to yours, and organizations with similar threats. Pen test companies with multiple customers in your industry can help you understand how your security posture compares with others. In-house pen testers (your own employees) can go even further, comparing the results of various business units to help differentiate those that are relatively more secure versus those who are less so.

3. Positive findings

Surely, you are doing something right. Most pen test reports, however, deal exclusively in the negative, indicating vulnerabilities and making recommendations for fixes. Insist that your pen testers include at least some positive findings so that your organization knows what it is doing right and can continue those practices. Also, having a spoonful of sugar in the pen test report can help make the medicine of fixing the significant problems go down more smoothly.

4. Help with prioritization

Most pen test reports rate findings as High, Medium, or Low risk. But where do you start implementing your fixes? Well, at high-risk findings, of course. But, if you have a dozen high-risk findings, which of those do you work on first? Pen testers can help by providing not only an indication of the risk impact (High, Medium, or Low) but also an estimate of the ease of exploitation (again, High, Medium, or Low). That way, your organization can prioritize fixes for the highest impact findings that have the highest ease of exploitation for a would-be attacker.

5. Techniques for verifying a fix is in place

Your pen testers can provide even more value in their report if they include a description for how to verify that your operations team has made a proper fix to each finding. For example, in addition to making a recommendation for an individual technical problem, your report could include brief instructions on how to check the fix, by verifying that a patch is installed, that a config change has been made successfully, or that certain filters are in place. That way, your ops team can itself check to ensure they’ve made the desired fixes, giving them more insight into the solution. Now, not every finding in a pen test report lends itself to this kind of step-by-step remediation checking. For example, some significant web application vulnerabilities, like cross-site scripting or SQL injection, may require a more detailed re-test by a skilled pen test expert. But, many fixes can be checked by competent sys admins armed with the right advice from penetration testers.

These 5 tips can help your organization get even more value from its penetration tests. It’s important to recognize that each tip involves the penetration tester going the extra mile in supporting your business from a risk management and operations perspective. That extra business value may require more time from penetration testers, and could increase the cost of the project. But, in the end, you’ll get more actionable, meaningful pen test results that help improve your security stance over the long run.

Filed Under: Guest Posts

About Ed Skoudis

Ed Skoudis is the founder of Counter Hack, an innovative organization that designs, builds, and operates popular infosec challenges and simulations including CyberCity, NetWars, Cyber Quests, and Cyber Foundations. He is also a keynote speaker for the 2015 Secure360 Conference. Connect with Ed on Twitter.

Reader Interactions

Comments

  1. Stuart Gentry says

    March 23, 2015 at 1:24 pm

    Very educational Mr. Skoudis. I also really liked your presentation for HackFormers especially talking about your day and how you keep up with security. Thank you.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. Secure360 Conference
    Secure360 Conference: Exciting news for a #Monday! We've officially welcomed @pingidentity as a 2021 #Platinum #sponsor for #Sec360 🤩 Lea… https://t.co/ddZ4MvCkk1
    about 1 day ago

  2. Secure360 Conference
    Secure360 Conference: Spots are filling fast & you don't want to miss these benefits! Register as a #Secure360 sponsor to show off the la… https://t.co/aqNcbZ25Ek
    about 3 days ago

  3. Secure360 Conference
    Secure360 Conference: Really interesting read from our Diamond #sponsor, @Cisco! Learn how to build #resiliency through a year of change https://t.co/GTWe6a0W3A
    about 4 days ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2021 Secure360. All rights reserved.