Avoiding Security Theatre: When is a "Critical" Really a Critical?
Knowing the industry standards for correctly assigned severity levels helps minimize your chances of being a victim of security theater.
Discover the benefits and challenges of switching pentest vendors for unbiased testing and improved security.
TL;DR:
Switching penetration testing vendors offers several advantages and disadvantages for organizations seeking to enhance their cybersecurity posture.
One of the primary benefits is the introduction of different perspectives to the pentesting process. The diversity in approach can uncover previously overlooked vulnerabilities and provide fresh insights into an organization's application and networksecurity landscape. It's worth noting that new pentesters may also bring industry-specific expertise that aligns more closely with the organization's sector. Some vendors might create custom testing plans for each industry depending on their most valuable assets, common threat actors, workflows and unique risks, this is something we do at Software Secured. This targeted approach can result in more relevant and actionable findings, as the testers understand the unique challenges and security compliance requirements specific to the industry.
While sticking with one vendor may provide a deeper understanding of unique vulnerabilities, switching vendors can bring fresh perspectives and new insights, helping uncover previously undiscovered vulnerabilities. This can lead to a more comprehensive and robust security strategy.
When engaging new penetration testers, organizations benefit from a varied skill set and a range of experiences that may not have been present with their previous vendor. These professionals bring unique methodologies, tools, and techniques to the table, potentially identifying security gaps that might have been missed in prior assessments. This fresh perspective is crucial in an ever-evolving threat landscape where attackers constantly develop new exploitation methods. Additionally, vendors may specialize in various aspects of cybersecurity, such as web application security, network infrastructure, or social engineering. Organizations can tap into these specialized skill sets by switching vendors, ensuring a more comprehensive evaluation of their security posture across multiple domains.
Engaging with new vendors exposes the organization to different reporting styles and remediation recommendations. This variety can lead to more detailed and actionable reports, potentially improving the organization's ability to address vulnerabilities effectively and efficiently.
Another significant advantage is the potential for cost optimization. The penetration testing market is competitive, and switching vendors provides an opportunity to reassess pricing structures and negotiate more favourable terms. This can lead to improved value for money, especially if the new vendor offers a broader range of services or more comprehensive reporting. Something to consider when evaluating pentest vendors is their business model. For example, if pentesting is one service amongst many that a cybersecurity provider offers and are VC backed, they may experience more pressure to cut costs, increase margin and provide ROI to their investors, which can hurt the quality of testing.
New pentesters are unfamiliar with the organization's environment, which can be advantageous. They approach the assessment without preconceived notions or biases that might have developed over time with a long-term vendor relationship. This outsider viewpoint can lead tomore thorough and unbiased testing if the previous firm doesn't already have quality assurance controls (such as pentester rotation, peer review and continuous professional development), as the pentesters are not influenced by prior knowledge of the systems or potential complacency that can arise from repeated engagements.
While continuity with a single vendor has its merits, introducing new penetration testing teams through vendor rotation can significantly enhance an organization's security testing program, providing a multi-faceted and dynamic approach to identifying and mitigating potential security risks.
Transitioning between penetration testing vendors can present several significant challenges for organizations, particularly those operating in complex technical environments. The procurement process alone can be a substantial time sink, often requiring extensive vetting (3 vendors or more), contract negotiations, 3rd party risk assessmentsand internal approvals. This delay can potentially leave critical systems vulnerable during the transition period and deals on the table.
A new vendor's unfamiliarity with an organization's specific applications and use cases is another considerable drawback. Each company's IT infrastructure is unique, with its own set of custom applications, network configurations, and security policies. A seasoned penetration testing team that has worked with an organization over time develops an intimate understanding of these nuances, allowing for more targeted and effective testing. New vendors must invest significant time and resources to reach this level of familiarity, potentially resulting in less comprehensive initial assessments. Additionally, there's the risk of losing institutional knowledge accumulated by the previous vendor. Long-term relationships often result in the discovery of subtle vulnerabilities or potential attack vectors that may not be immediately apparent to a new team. This loss of context could potentially leave an organization exposed to previously identified but incompletely remediated risks.
Establishing effective communication channels and protocols with a new vendor can also be a complex undertaking. This includes setting up secure methods for sharing sensitive information, aligning reporting structures, and ensuring that all stakeholders are properly integrated into the communication flow. Miscommunications during this phase can lead to gaps in coverage or delays in addressing critical vulnerabilities.
Perhaps most concerning is the uncertainty surrounding the quality of services provided by a new vendor. Understanding the differences between a high and low-quality pentest vendor will help you navigate the selection processes with ease. While credentials and reputation can offer some assurance, the true measure of a penetration testing team's effectiveness often only becomes apparent after multiple engagements and reports. This uncertainty can be particularly problematic for organizations in highly regulated industries or those handling sensitive data, where consistent, high-quality security assessments are crucial.
Different vendors may employ varying methodologies, tools, and reporting formats. This lack of consistency can complicate year-over-year comparisons and trend analyses, which are vital for tracking an organization's security posture over time. It may also necessitate changes to internal processes for handling and acting upon penetration test results, potentially leading to inefficiencies in your SDLC or security oversights.
In conclusion, while changing penetration testing vendors can sometimes bring fresh perspectives and new expertise, organizations must carefully weigh these potential benefits against the significant challenges and risks associated with such a transition. The decision should be made with a comprehensive understanding of these cons and a clear strategy for mitigating their impact on the organization's overall security posture.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support