Penetration Testing and Meeting Compliance – What You Need to Know
By Mark Bird, Date published: 2020-11-09
We often have clients coming to us for penetration testing services for compliance reasons. Companies that handle sensitive data such as FinTechs and healthcare providers are often required to undergo routine penetration testing by third-party security providers. In this post, we gather Pragma’s security experts to answer common questions on penetration testing and how we help in meeting compliance.
First, what exactly is penetration testing?
Penetration testing is when a professional tester (like us) acts as an ethical hacker to access an application or systems externally. The whole idea is to detect undiscovered vulnerabilities using different methods in bypassing security mechanisms that are set in the application.
Does my company need a penetration test?
A company should undergo a penetration test regularly (at least annually). This is to either catch new vulnerabilities that may be introduced overtime or existing undetected vulnerabilities. A penetration test should also be done when new features are being deployed to the system or if there were to be any new configurations added or changed like a change of firewall rules or changes in the permission set for admin/member roles.
Most of the time, companies undergo penetration testing for compliance purposes. It could be compliance to International Security Standards such as ISO 27000, or industry-standard such Payment Card Industry (PCI) Standards, regulations such as Monetary Authority of Singapore Technology Risk Management and third-party reporting standard such as Service Organisation Report SOC2 further requires Vulnerability Assessment and Penetration Testing to achieve compliance.
I need to comply with regulatory requirements. What type of penetration testing should my company go for?
White, grey box and black testing are the main types of testing. White box means the tester has full information on the application, grey box means most information is known (and usually involved having credentials for testing) and black box is where the tester has no idea of the system at all. Either Grey box or white box is preferred to gain deeper insights on vulnerabilities in the system.
When a client comes to us for penetration testing for compliance obligations, we generally test the following areas that will satisfy most compliance requirements. However, please speak to us if you require testing beyond these scopes.
- Configuration and Deploy Management (e.g. misconfigured services or web application security)
- Identity Management (e.g. account registration)
- Authentication Testing (e.g. basic, multifactor, password strength)
- Authorisation Testing (e.g. roles and privileges)
- Session Management
- Data Validation (e.g. input sanitisation)
- Error Handling
- Cryptography (e.g. encryption mechanism and quality)
- Business logic
- Client-side Attacks (e.g. end-user vulnerabilities when using the system or web application)
How long will the test take?
The length of the test normally depends on the scope of what is being tested upon (i.e. the amount of web application features to test, the number of devices to test) and the engagement time between client and tester (i.e. in answering inquiries).
What is the cost for penetration testing?
The cost depends on the scope of items to be tested (i.e. network devices, functions and parameters on web applications), the complexity of the network infrastructure or the complexity of the web application use cases and whether the testing can be done remotely, or it has to be done onsite.
What do I get at the end of the test?
You will receive a report that indicates the Common Vulnerability Scoring System (CVSS*) score, vulnerability types found (i.e. critical, high, medium, low), description of the issues and the remediation steps to be taken.
*Note: CVSS is an industry-standard used to evaluate the severity of the potential vulnerabilities found.
How do I select a suitable penetration testing service provider?
We suggest to first understand the purpose of the test (is it for compliance purposes or part of a security strategy to build cyber resilience?). From there, you can list down the scope or areas that your company need to get tested. If you are unsure, a good penetration testing company will be able to guide you through.
Look, compare, and query the service provider if they are proficient in testing what you need. For example, check if the penetration testers are OSCP or CREST certified (if required by regulators).
Lastly, remember to ask for a sample report to check if the service provider covers all areas and provide all the necessary information at the end of the test.
I am not required to meet compliance requirements, is it still worth getting a penetration test?
A penetration test is always worth the time and effort, given that the cost of a breach is much higher than undergoing a routine test. A penetration test gives you valuable potential insights into your system. There could always be existing weaknesses in the system that is being overlooked or new bugs that are introduced into the system.
Mark Bird is a Consultant in Cyber Incident Response, Pragma Europe Ltd. Mark spent 17 years working in the UK police and over 5 years as a Detective on the prestigious West Midlands Regional Organised Crime Unit Cyber Crime team. After his successful law enforcement career, he entered the private sector and investigated incidents for various industries, including large multinational companies experiencing widespread encryption due to sophisticated Ransomware infection. Mark now leads the Incident Response division for Pragma Europe based in Central England. Pragma provides Incident Response services to organisations from diverse industries in over 135 countries globally. If you require immediate assistance, please email email@example.com
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.