For nearly 15 years, I have been involved in procuring security testing services. The process has always been the same: a penetration testing company asks for the range of IP addresses or access to an internal network and runs some automated tests, followed by allegedly state-of-the-art human intelligence testing.
When finished, a report is produced, sometimes followed by a short presentation. For 15 years, the reposts have been similar: an executive summary telling me how bad our systems are and what technical vulnerabilities they found, followed by details of each vulnerability. My response to them has usually been: do not show me just technical details of vulnerabilities; show me how these can impact my business.
Just to clarify, I am interested to see the technical vulnerability details, but that should not be the primary focus of penetration testing. What I really want is actionable intelligence on how these issues can be exploited in a concerted way that would have measurable business impact.
Now, I admit that such a feat is very challenging to deliver on a budget and in the limited time slot allotted to the testing. As such my proposal for the security testing service is to work with my security team, IT teams and business owners of the application to understand implications. For the length of the contract, play as if you were my internal penetration security team. Show me what real-world scenario likelihood is for each attack scenario that could lead to business loss. A simplistic “low-medium-high” is not going to cut it any more.
Show me you care about my business and I will support yours.
Vladimir Jirasek is chief executive at Jirasek Security Consulting
This was first published in December 2015
Enjoy the benefits of CW+ membership, learn more and join.