We've kind of talked about how to choose your vendors, and we’ll get more into services soon, but we wanted to take some time to talk about penetration tests and especially what to do as they wrap up, how they affect the organization, and how you can manage your penetration tests to make sure they're actually effective.
- Receiving the report
- First and foremost, you are the customer. The report is not done until you say it is done.
- That doesn't mean to massage the data, but you need to be sure that the penetration testers actually provided value.
- If there isn't a solid executive summary, send it back. Period. Your testers should be able to summarize what they did, what they found, and what they think for your executives.
- A Nessus or Burp scan is not a report. Ever.
- Always ask “how did we do for this application/organization size” etc. You’re not just paying for someone to run Nessus on your network, you’re paying for their analysis. Ask for that.
- First and foremost, you are the customer. The report is not done until you say it is done.
- Triaging the Results
- Results rarely go to the same place in the organization. You might have findings for different teams, or entirely different parts of your org. Make sure they get to the right people.
- Results may be inaccurate for your organization. A penetration tester isn't necessarily familiar with your organization’s risk profile, priorities, or anything else. What they mark as a medium may be a high or critical for you, or vice versa.
- Example: Information disclosure in Healthcare is often rated much higher when triaging than in other types of businesses.
- Working with the stakeholders
- Work in systems that make sense to people that need to do the work. Rally, Jira, etc.
- This can also give you traceability for when things are actually fixed.
- Don’t dump on people in big group meetings, take the findings to the specific teams
- That will give them time to develop a plan for the findings that are affecting them
- Work in systems that make sense to people that need to do the work. Rally, Jira, etc.
- Managing upwards
- No matter how well or poorly the report is written, it’s still going to end up being your job to explain “how bad is this thing you handed me?”
- Have to manage the findings and their perception upwards
- Remediate, mitigate, or accept
- That's an upper management call
- Dealing with the Re-test
- Most penetration tests have a clause in there for re-testing findings. Make sure you actually take advantage of that.
- This looks good from both an actual security posture position and a management position
- Some penetration testers will let you remediate quickly and have them re-test, which can be reflected in the final report
- Especially if your report might going to customers, this is incredibly useful. Take advantage of this if at all possible.
- Most penetration tests have a clause in there for re-testing findings. Make sure you actually take advantage of that.