What is a SOC 2 Report and Why Are Your Clients Asking For It?
For SaaS companies trying to improve their understanding of how a SOC2 report can help them close more B2B sales. Read here
Learn how to help your penetration test vendors find more security vulnerabilities and ensure maxiumum coverage.
TL;DR:
To get the most from a penetration test, your organization must do the necessary prep work. Doing prep work makes the job easier for the security experts and can help them find more vulnerabilities throughout the test. Both the testers and the client have responsibilities when it comes to making the test a success. This article will discuss six unique ways an organization can properly prepare for a penetration test.
The first thing you should do to prepare for your penetration test is to get management involved. This is important for several reasons. Firstly, you want to understand any business objectives directly tied to this penetration test, for example, you may have a compliance or certification-related audit coming up, and this test may be intended to help the organization meet those requirements. Secondly, they can add context to the scope of the test. Getting the security director involved is great, but having team members like devs and CISOs can also help fill in business and organizational contexts from different perspectives. For example, devs can help answer different questions about code. CISOs may have certain objectives in mind they hope to achieve and can help determine the priority of assets. Lastly, your security directors can help pull it together and organize these groups toward the goal.
Next, you want to provide as much knowledge about the organization and its products as possible. The more context of a company's business and application(s), the better it will be at helping the penetration test team identify top priorities and the most likely and most dangerous threats. Understanding your application's function, backend, data, and other functions will help you connect the dots for the penetration test team. Another useful piece of information to provide is any past penetration tests, audits or other security-related issues. This can provide valuable insight into the company's weak areas, and the testers can examine that to ensure those past issues were properly addressed. Lastly, it can be very valuable to describe the application's use case, do a demo, and help the testers understand how customers would navigate the application. Understanding how people interact with the application can help the testers understand what the most common attempted attacks would be and what they need to test for.
A business needs to have an objective or priorities when it comes to penetration testing. Ask yourself what you want to achieve, and this can help the pen testers prioritize your needs with the test. Your needs could be testing a new application that you plan to launch, preparing for an upcoming audit, or it could be making sure that specific data within the company is properly protected etc. You should also have priorities established when it comes to expectations for how the test will be conducted. You should have an SLA that outlines things like what dates and times the environment can be tested, how long it should take and what the priorities are for when the report is received.
Another practice that can help tremendously with penetration testing is threat modelling. Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. Pentesters use the threat modelling process to combine their insights with the client's products/assets/data flow to determine the most relevant potential threats. One of the most important diagrams to provide for penetration testing is the basic deployment diagram (BDD). BDD is a chart/diagram that shows the connectivity and pathways between hardware and software. BDD can help pen testers see the connections between different software and where there might be potential access/entry points for the threat actors. It also helps to ensure that the test environment that the pen testers are working on is accurate. One of the biggest issues pen-testers have is that they will be given a test environment that is not laid out in the same way as the customer would see it and interact with it. In these situations, even if the test is conducted properly, then the results of the penetration test may not apply to the company's production environment.
Companies that are organized with the information needed for the penetration test make the process much smoother and give the pentesters more time for actual testing. If they are blocked/waiting for things like credentials, a complete list of assets to be tested or any other form of delay this will negatively impact testing time and can cause delays. Being proactive and prepared can help your team find more vulnerabilities, faster. Here are some final items that you should have ready before the start date of your penetration test:
The last item on our list is for you to prepare for the post-report aspect of the test. Anytime you do a penetration test, you should plan for vulnerabilities to come back and how your team will allocate resources to fix these issues. This is important for ensuring quick remediation of issues. This will be important if you have a tight deadline involved in the process, for example, if you have an audit scheduled within the next few months. By having the resources ready to go beforehand, you can expedite the process and ensure you meet your deadlines. Also, to confirm that you have applied the fixes correctly, you should prepare for a retest with whatever guidelines for remediation your pentester gives you. Going forward, to stay on top of future vulnerabilities, we suggest all clients continue doing quarterly pen tests to optimize your security program.
When selecting a penetration testing company, it's crucial to consider its post-test support capabilities. A comprehensive service should extend beyond merely identifying vulnerabilities and providing a report. Look for providers that offer actionable recommendations with external references and, more importantly, assist your team in implementing fixes. This support should include re-testing critical or high-severity vulnerabilities to validate the effectiveness of the corrective measures. Additionally, consider engaging third-party validation for test findings to ensure objectivity and thoroughness. This approach helps verify the accuracy of the initial penetration test results and provides an extra layer of assurance. By choosing a vendor with robust post-test support and considering independent validation, you can maximize the value of your penetration testing efforts and enhance your overall security posture.
Pentesting can be an important part of your organization's security strategy, while it's important to find a reputable and experienced vendor it’s also important for clients to be properly prepared before the pentest. By doing this work upfront, you help the pen testers be much more efficient with their time and find more vulnerabilities during the test. Implementing these 6 ways to help your penetration test vendor find more vulnerabilities can significantly enhance the effectiveness of your security program. Check out 4 ways security leaders use penetration testing to elevate their security programs!
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
The advantages and disadvantages of testing on staging compared to production. Which one provides more value.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support