What to Look For in a Penetration Testing Company
Penetration testing is one of the most widely used techniques to comply with security regulations and protect network and computing systems and users.
In a penetration test, or pen test for short, authorized hackers simulate an attack on specific applications, networks or sites to assess their security. A penetration test is designed with a specific goal in mind, such as to gain privileged access to a sensitive system or to steal data from a system that is believed to be secure.1
In traditional penetration tests, one or a small number of researchers run tests and produce a report for a fee. Traditional penetration test reports are often expensive and they cost the same whether they produce a few or many vulnerabilities, and regardless of severity.
Hacker-powered penetration tests are emerging as a more cost-effective way to harden applications. With HackerOne Challenge, selected hackers from our community are invited to find vulnerabilities in your systems, and you only pay for the verified vulnerabilities found.
Here are 5 key things to look for in a penetration testing partner.
1. How many attack vectors
The best penetration testing companies can simulate the full spectrum of attack vectors across network, host and application layers. The OWASP Top 10, produced by The Open Web Application Security Project, is table stakes. OWASP Top 10 2017 listed injection, broken authentication, and sensitive data exposure as vulnerabilities one through three.
In addition to the OWASP top ten, penetration tests should include DoS and DDoS, IDOR, remote code execution, DNS brute force, DNS Subdomain takeover, deprecated ciphers, and cross-site scripting (XSS).
2. How many researchers
Many eyes, the saying goes, make all bugs shallow. Traditional security research firms will typically deploy one to three researchers for a penetration test, and often they are entry-level practitioners. The ability to draw from the world’s largest community of ethical hackers means typical HackerOne Challenge penetration tests field dozens to hundreds of hackers. More hackers participating in a penetration test means more diverse skills and perspectives, which in turn yield more, more varied and harder to find vulnerabilities. Some participating hackers may be experts at finding database vulnerabilities, like SQL injection. Some may specialize in testing particular software frameworks like .NET. Others will be wizards at cross-site scripting issues.
3. How many vulnerabilities
The purpose of any penetration test is to discover vulnerabilities before they can be exploited. Therefore, all other things being equal, discovering more vulnerabilities is better. Pay-per-report penetration testing companies are incentivized to complete the assignment and bill the hours. There is typically no bonus for number, severity or diversity of vulnerabilities found. In contrast, hackers conducting pen tests are paid only if they find a vulnerability. More hackers with more diverse skills all working hard to find the types of vulnerabilities you care about tends to uncover more vulnerabilities. In one comparison of a traditional pen test to a hacker-powered pen test, the traditional firm found three vulnerabilities in the client organization. The hacker-powered penetration test found those three and 60 others.
4. How much flexibility
Customers have varied needs when it comes to penetration testing. If you have simple requirements, a traditional research firm may be adequate. Like many businesses that charge on a time and materials basis, traditional pen test research firms have strong financial incentives to reuse templates and processes - e.g. rinse, repeat.
Customers with more diverse and complex assets often benefit from a more customizable approach. Hacker-powered penetration tests like HackerOne Challenge allow you to fine-tune every aspect of the program, including:
- The exact, even hard-to-find, skills you want in participating hackers.
- The priority of different assets.
- How much hackers are paid to find bugs you care about. You align your hackers’ priorities with your business priorities.
5. How much value
Paying for results is a far cry from checking the box when it comes to compliance. It’s a cost-effective means to find as many vulnerabilities as possible, quickly, at the lowest possible cost. HackerOne Challenge customers report up to 600% better ROI compared to traditional pen tests.
Value comes not only from more, and more critical, reports. In order to ensure your security team can remediate quickly, HackerOne Security Analysts review all new reports and communicate with the submitting hacker for any needed additional information.
Only after our security analysts have successfully replicated reported issues and formatted the report with the agreed-to detail, like severity, a summary, and steps to replicate, will they mark it as Triaged.
The final Challenge Summary Report includes all Triaged reports. The report also includes additional detail about the vulnerability and recommendations for next steps. A HackerOne program manager will review the report with you and your team and answer any questions you may have.
To start a HackerOne Challenge today, or learn more, contact us.
1 Daniel Miessler. 2015. “Information Security Assessment Types” Last modified April 4, 2018. https://danielmiessler.com/study/security-assessment-types