The Problem with Pentesting
Our Penetration Testers are an incredible resource and one we are privileged to have with us every day. In an ideal world where cyber-security was at the front and centre of the executive's mind and money was not an issue, you would have your own penetration testers. Your testers would work full-time to identify vulnerabilities and risks in your digital assets. But this is not practical for all but the most prominent organisations. A penetration testers salary can be more than £70k. Add on top of that another £10k a year in insurances, continual training, hardware and software, and the price ticket for a single penetration tester quickly exceeds £100k.
Penetration tests use standard industry guidelines. These guidelines come from OWASP, NIST, CIS and others and reflect compliance frameworks. These guidelines can be relied on to find most vulnerabilities but can miss more complex and potentially damaging issues.
The UK's National Cyber Security Centre advises organisations that:
"You should know what the penetration testers are going to find before they find it. [...] use third-party tests to verify your own expectations. Highly experienced penetration testers may find subtle issues which your internal processes have not picked up, but this should be the exception, not the rule."
Various, Distinct Problems
We read with great interest the 2018 Bugcrowd survey of 200 cybersecurity leaders that found 56% were dissatisfied with their current penetration tests. We used that information to alter the way we test. Here are the findings, along with how we differ:
One of the biggest complaints about Penetration Testing companies was that clients have a long wait for each testing period. Scheduling delays is something we have always avoided by what we consider our unique approach to scheduling. None of our clients will ever wait more than four weeks for their test to be started.
Testing time is impossible to extend
It is only during the early phases of a penetration test that a client can extend the time. However, it is not until later in the pentest that a tester will likely identify the need to increase the test time. The cause of this is the schedule. Testers are booked routinely on back-to-back engagements. At Hedgehog, we leave a buffer for our testers. Our testers usually have two or three days between tests where there is nothing scheduled. When a test needs more time, there is always availability.
Keeping Costs Low means the Wrong Tester
We all need to reduce overheads. Keeping a business lean means survival. But this can lead to the assignment of testers who aren't suited to the engagement. Or the use of unqualified testers. Clients are demanding lower prices. The cost of employing a penetration tester is increasing. Many testing companies are either outsourcing or using juniors. At Hedgehog, all of our testers are either CREST CRT, OSCP or QSTM qualified as a minimum and must spend ten days each year in training.
Time to Reporting
With a standard penetration test, you receive results at the end of the engagement. Typically near to twenty days from the testing start date. That means you can have vulnerabilities present that are known for an unnecessarily long time. At Hedgehog, we communicate with you every day. You will always know what we have found. Our final report is with you within three days of the test completion date. If you would like to learn more about how we communicate, we have it all laid out here.
A single penetration tester can not know everything. While your assigned tester will test the majority of systems, your tester will have a particular speciality. Customers don't have the option to select which testers work on their projects. At Hedgehog, we have, on our team page, listed each of our testers specialist skills. Should you so wish, you can choose who you would like to do your testing. However, we operate as a team, and while you will be assigned a particular tester to lead your test, they will call on the skills across all our team.
Penetration tests are checklist-based. It is how the vast majority of Penetration Testing companies work. Checklists are needed to ensure proper coverage. There is minimal time or incentive for testers to use their initiative or 'dig deeper' to find complex vulnerabilities. While we do have a series of checklists, we also provide our testers with the freedom to conduct the test with their initiative and gut instinct.
Testing is a Single Point in Time
Organisations engage in penetration testing once, maybe twice, a year. It is in stark contrast to the modern development lifecycles where new code is released frequently. Testing will highlight the vulnerabilities and weaknesses at the time of the test, but new vulnerabilities may be present quickly afterwards. To help address this, we provide a penetration tester led vulnerability scanning and monitoring service for the 12 months following the penetration test.
Poor Results and Bad Reports
A standard report from most testing companies will have valid findings, false positives and no-risk issues all within the report. The information provided then often leads to confusion for the client. Worse still is that with a compliance centred focus and reliance on automated tools, genuine high-risk vulnerabilities are not identified. We use an extensive peer-review process and team-focused tested to ensure there aren't any no-risk issues and, where possible, no false positives present in our reports.
The Hedgehog Difference
Many organisations are put off penetration testing through poor results, high costs, and time delays. We test differently. Here is how:
Our test window appears longer than others are quoting because we want to test appropriately and thoroughly. We have the flexibility to extend the window too.
Our prices are a little higher than others because we invest in our people, their training, and we do not keep a back-to-back schedule.
Appropriate or Desired Skills of Testers
We allow you to pick your tester, but we test as a team, so all the skills are always available for your test.
Communication and Reporting
We communicate daily with you, so you always know what we know. We also guarantee that your report will be with you within three business days from the completion of your testing.