Penetration testing is one of the most common techniques for achieving compliance with security regulations and protecting company networks, systems and users. A penetration test is also known by IT experts as a pentest. In this controlled test, hackers are authorized to simulate an attack on named applications and networks in an effort to assess the security of the infrastructure. Penetration tests are performed with a specific goal in mind, such as trying to gain access to a sensitive system or to steal information from a secure system.

security and compliance testing

In traditional penetration tests, a small group of researchers run tests and deliver a report for a fee. These reports were often expensive and difficult for smaller companies to afford. Hacker-powered penetration tests represent a new, more cost-effective method for strengthening application security. Hackers are asked to locate vulnerabilities in an organization’s systems – simulating a nefarious hacker attack.

Penetration Tests – What to Look for

If your company has decided to look into penetration testing, there are many vendors from which to choose. Here are some of the factors you need to consider when evaluating vendors to perform security and compliance testing on your behalf.

  1. Transparency and Visibility: In traditional penetration testing, clients aren’t afforded visibility into the engagement process. Critical vulnerabilities aren’t shared with internal stakeholders in a cohesive way, and remediation solutions are given as a part of the end report. Tests conducted by hackers should be transparent so customers know what’s is occurring throughout the test.
    If they have input in the process, they can actively take part in real-time remediation.
  2. Integration with SDLC (software development lifecycle): Typically, the cost and work product of the penetration test is focused on the final report delivery. Though essential, the report is generally very long and does little to provide concise remediation plans. Pentest protocols should easily integrate with all aspects of the software development lifecycle (SDLC) so results are forwarded to the right developer, fixing vulnerabilities more rapidly.
  3. Diversity and Collaboration: Traditional research firms that deal in security and pentests will normally send one or two researchers, often entry-level employees. Clients had virtually no access to the process, and rarely spoke with the team trying to find vulnerabilities in their own systems. Hacker-powered efforts, by contrast, value collaborative environments and encourage discussion. Customers can communicate directly with researchers to speak about issues and understand the problems. A hacker team often has several members with diverse skill sets and many varied talents, to best simulate what the bad guys’ team may look like.
  4. Speed and Efficiency: It is important to point out that depending on the company you choose, you could wait anywhere from one week to 6 weeks before a team can come out to perform the pentest. Note that many companies will charge more for expediting the testing.
  5. Long-Term Security and Compliance Goals: When deciding who to hire for your security testing, customers should map out the long-term security goals for their organizations. Questions need to be answered, such as how often should pentests be performed, or what regulations do you need to be compliant with? There are unique benefits across various security vendors, who may specialize in different types of testing, from point-in-time testing to continuous testing capabilities.

At Alliance IT, we believe that penetration testing is not a one-time event, but should be integrated as a strategic part of your long-term security strategies. Do you want to learn more? Call us today for a consultation.