As the owner of a penetration testing company I receive, almost daily, requests to "sharpen my pencil" or "give me your best price". When I started back in 2010, I felt insulted but over time that feeling faded and now it is just a raised eyebrow. I only ever give my best price. I think it is fair and represents values for what we do.
With penetration testing, you are purchasing the skill of a professional tester, not a toolset or a license code. So I thought it might be useful to explore what happens when you want to pay less for a test.
All names are anonymised to protect people, but this is 100% accurate.
So without further gilding of the Lilly, on to the scope. Company Theta (entirely made up) want to test a web application they have deployed within the Microsoft Azure environment. The app has five user levels, free, subscription, customer_admin, support and global_admin. It has two API functions and it all talks to an Azure database.
Our initial quote was for seven days of test time. It covers five days of continual testing and two days for documentation. We always state that if we don't use all the days, we will only bill for what we use. We produced a proposal that detailed what we would do during that time. We would cover all of the OWASP test points discussed in the scoping call, and it would all be to CREST standards.
The contact at Company Theta came back and asked us to look at the pricing and days because Competitor Bravo had quoted only four days and were £300 a day cheaper.
Sanity Check 1. CREST testing requires a CREST member company. A check on the CREST website didn't detail Competitor Bravo. We called CREST and asked, and they confirmed no, they were not a member company.
Sanity Check 2. CREST testing requires a CREST Registered Tester. In our proposal, we detailed the available testers suitable for the project for the client to choose their Penetration Tester. All of them are CREST registered testers. In the proposal from Bravo, no names or qualifications were detailed so it would be impossible to assure testing qualifications.
What to look for in a Proposal
Penetration Testing is an intricate art. The first thing to check is the understanding of your scope and are they delivering to you what you want? Here is a list of things I consider when I am engaging with our competitors to perform a penetration test on our connected world.
- Has the company understood the scope fully? When I briefed them on the remit of the scope, have they fully understood and documented that?
- Have they detailed what is out of scope? Sometimes out of scope devices are extremely important. For example, the scope could be *.hedgehogsecurity.com but I may have explicitly put www.hedgehogsecurity.com and hedgehogsecurity.com out of scope as they are externally hosted sites.
- Have they details the experience and qualification level of the tester?
- Will they provide their ISO27001 and ISO9001 certificates? To that matter, how about their Cyber Essentials Plus certificates? When you are engaging a firm to carry out offensive testing on your world, you need to know they have suitable levels of cyber and information security themselves.
- Are they using in-house team members or have they outsourced the job to somewhere else? Remember the UK DPA and GDPR here. It is really easy to end us manufacturing your data breach.
- And finally, have they broken out exactly what you are paying for and listed the deliverables? At the end of the day, the tangible asset you are paying for is the report so if you need it in 3 or 5 or even 7 parts then ask for it.
As always, we are here to help. We have a very strong and ethical team at Hedgehog and if you just want to chat about what to look for in a proposal, feel free to get in touch. I can often be found on our online chat.
Stay safe and secure out there.