Posted by Robin Wood on June 16, 2014.
Welcome to my first post of what will hopefully be a regular series on topics at least loosely security testing.
Seeing as my section will be on testing I thought I’d start by asking the question “what is a penetration test?”. Hopefully if you ask someone in the testing community about vulnerability scans and penetration tests they would agree that, at the most basic level, a vulnerability scan is a way to test a system, be it network, web app or anything else really, for vulnerabilities but stop when the testing finds them. A penetration test takes that a step further and exploits the vulnerabilities. Ask a consumer of tests and you will get a huge variety of answers and this is where the problem starts.
Customers, especially ones who haven’t had testing done before, tend to pick up on the phrase “penetration test” as it is a sexy term, so that is what usually goes on tender documents regardless of what is actually required.
But if you are a tester and a tender document comes in asking for a penetration test and you can’t take it at face value then how can you tell what is actually required? Simple, talk to the client. This seems obvious but when I’ve suggested it to some people they seem confused. They say they have their spec to quote on and so why waste time, and therefore money, in discussions before even putting a quote in. The problem comes when they win these jobs and find that what they assumed was a few days of popping boxes is actually a full audit with reports going to customers as well as the client or when testers get to site and completely hose a network that has never been patched and the job turns into consultancy. You can then start to negotiate a new contract and more money but I find that doesn’t go down well with clients. I’ve spoken to to many clients who have had negative experiences with testing companies, complaining about reports which don’t fit their needs. The testing company came in, had their shot, didn’t impress and won’t be invited back in.
What do you need to talk about? You need to find out why they are having the testing done. Is it because they want to make their network or product more secure, is it because they have to have it done for compliance, is it one of their customers trying to protect their supply chain? Once you know this can you come up with an appropriate quote, it may not match the other people quoting but having engaged the client they should understand why and hopefully appreciate the extra effort when awarding the job.
Sales teams on the testers side and procurement processes on the client side can make the process of working out what is actually needed even harder. The padding between testers and the commissioning department can make it hard to effectively communicate what is required so it is even more important to get peers talking and make sure their discussions are passed back up to sales and procurement so they can be build into the contracts.
So please, testers, talk to your customers, find out their real requirements, don’t just run with what is written on the first request for tender document.
If you are a user of testing services, make sure you know what you want and what you are getting. If you have questions, don’t be afraid to talk to the testers. Any good company will be able to go through all the options with you and should be able to provide sample reports and be able to explain all the deliverables you will receive.
Back to the original question, what is a penetration test, it is whatever the client requires it to be. Don’t get hung up on the ideal of what the phrase should be instead be flexible and work with your client to deliver what they need.Submitted in: Expert Views, Robin Wood |