Penetration testing, often referred to as “ethical hacking” or sometimes confused with “vulnerability assessment” is a very important part of risk mitigation for networks and infrastructure.  A separate component of penetration testing is web application security and when tested is often referred to as “web application testing or application security testing.”

Engaging a Penetration Testing firm:

…  a few thoughts from 7Safe’s Director – “in the past when I and other colleagues used to procure the use of penetration testing firms, it was very much an experience of engaging with an entity that was unknown. We have, over the years, learned so much about technical security audits which is in essence, what penetration testing activities are all about. Most importantly though, we also learned about just how valuable relationships are in penetration testing work, and how great communication together with knowledge transfer also contribute towards the education process that pen testing can also be.“

“Too many unanswered questions…”

During my time in commissioning each and every penetration test I would often ask myself;

• What are the pen testers really doing?
• Can I really trust them?
• What are they going to find and how will I fix the issues?
• Should I pop down to the server room and see what is actually going on?
• Can I do some of this myself?

Sometimes, after not hearing anything on the day of the test I would ask myself; Are they actually testing (should look to my Intrusion Detection Systems just to check as I have had no phone call or email to let me know…)?

“Communication is Key”

I would then after this period of essential “silence” receive a technical report which would range in quality and clarity – what were all these descriptions of vulnerabilities and how on earth was I to fix them?  Could I approach the penetration testing firm’s testers to walk through the report or were they too busy on the next client site?

“Pen Testing Reports are as important as testing”

No matter how technical a penetration testing and application security testing exercise, its value is reduced if it cannot be articulated in the form of a report that can be understood by senior management and techies alike.  From a business perspective, it’s all very well showing a grid with 3 high, 4 medium and 10 low risks, but again, how likely are they to be exploited and is your application or infrastructure in good shape?  What is my business doing well and where are the weaknesses?  This tends to be an area that in my experience, most penetration testing organisations fail to address because the techies do not know how to relate to business risk, just technical risk.  Executive summaries tend to be a quick gloss because they are “needed” and there is a distinct lack of prose, description, narrative and opinion that would help a business manager assess the state of security in place.  As a provider of penetration testing, we recognise our clients need both.

“Keep on talking”

In our experience, it’s critical to keep talking with our clients to ensure that you have all the information you need from a penetration test to actually make informed decisions and to reduce your risk.  It is our philosophy to engage 7Safe’s penetration testing and application security testing / web application security team right at the beginning of an engagement during the phase of scoping.  We therefore immediately build an understanding of your network or application and ensure that this understanding is communicated in the scope of the testing contract.  Prior to testing we will keep in touch – we understand that your application deployment project plan may not always run to schedule and the more we talk, the more we can be flexible to accommodate changes to the joint schedules.  The morning of testing arrives and you will receive a call to let you know that testing is about to commence (if we are not with you onsite for this particular engagement).  Testing starts and by the end of the first day, you are wondering how is the project going, what has been found – our answer is to setup a conference call.  These need not be time consuming but at the end of each day, 7Safe can provide you feedback and start the very important narrative that is missing from so many testing engagements.  We call this client service – it costs nothing but care and effort.  During the call we will share our knowledge and you may wish to bring in your developers or project sponsor for such updates.  Towards the end of the engagement your report will be prepared.  If you were to ever sit in our lab, you would be pleased to overhear the amount of cross checking, results verification and care that goes into such reports.  Everyone will use a report template, but behind our penetration testing template are a series of decisions;

• How will this vulnerability be rated (High, Medium or Low) in context of our client, not pure technical risk?
• What is the risk of exploitation given your particular architecture?
• How easy will it be to fix?
• How can I actually demonstrate to my client how we exploited an application and how can we show this in order to transfer knowledge for their benefit?

Each and every point in the report goes through this decision making process which is done by a consultant, not a script.

“Receiving Your Penetration Testing / Application Security Testing Report”

Over time, 7Safe developed a Secure Document Delivery System to help share penetration testing and web application testing reports with our clients in the most secure but easily retrievable manner.  Your report, once through internal Quality Assurance, will be uploaded onto this system through an encrypted link and stored encrypted.  The keys will be securely exchanged with you and once downloaded, the data will be securely purged on our system.  All of this is achieved through standard secure Internet browser access for your security and convenience.

“Feedback – talk to us”

Once you have your report, it’s important you feel that you can talk again and ask questions.  We actively encourage client feedback and dialogue as we understand that your team’s work now begins at this point.  They will need to work through the technical content whilst project owners and above will need to see the executive summary.  Shortly after the engagement we will also contact you to seek your candid feedback – projects always have up’s and down’s and it’s important we stay in touch to ensure that the level of service you get remains outstanding.

“What happens to your data?”

This is a question rarely asked, but very important to consider.  Penetration testing data is after all, very sensitive material. 7Safe’s solution is to approach the data as if it were in our Forensics or e-Discovery business which uses very strict process coupled with custom-built premises to protect the confidentially of data.  Your data will be archived in our secure forensics store for use later in further tests whereby we can compare results of this current test with that of previous work.  After a period of time, such data will be purged, but until that point, it is removed from the team’s infrastructure and stored securely.  All such processes are governed by 7Safe’s dedicated Exhibits and Property Officer.