Maksim Kabakou - Fotolia
For nearly 15 years, I have been involved in procuring security testing services. The process has always been the same: a penetration testing company asks for the range of IP addresses or access to an internal network and runs some automated tests, followed by allegedly state-of-the-art human intelligence testing.
When finished, a report is produced, sometimes followed by a short presentation. For 15 years, the reposts have been similar: an executive summary telling me how bad our systems are and what technical vulnerabilities they found, followed by details of each vulnerability. My response to them has usually been: do not show me just technical details of vulnerabilities; show me how these can impact my business.
Just to clarify, I am interested to see the technical vulnerability details, but that should not be the primary focus of penetration testing. What I really want is actionable intelligence on how these issues can be exploited in a concerted way that would have measurable business impact.
Now, I admit that such a feat is very challenging to deliver on a budget and in the limited time slot allotted to the testing. As such my proposal for the security testing service is to work with my security team, IT teams and business owners of the application to understand implications. For the length of the contract, play as if you were my internal penetration security team. Show me what real-world scenario likelihood is for each attack scenario that could lead to business loss. A simplistic “low-medium-high” is not going to cut it any more.
Show me you care about my business and I will support yours.
Vladimir Jirasek is chief executive at Jirasek Security Consulting
Read more about penetration testing
- Security Think Tank: Pen testing should be about risk, not box-ticking
- Security Think Tank: Clarity of scope is key to getting value from pen testing
- Security Think Tank: Pen testing must be followed by action
- Security Think Tank: Penetration testing still relevant, but approach needs to change
- Security Think Tank: Selecting the right pen tester helps deliver most value
- Security Think Tank: Start with threats to increase value of penetration testing