Filed In: Security Testing, Application Security, General

Penetration Testing as a Sales Tool

Views: 379

Written By: Brian Shura September 05, 2017

How to Best Avoid Obstacles and Surprises at the End of the Sales Cycle

If you are selling a product or service to security-conscious customers, performing a thorough penetration test can provide you with valuable information that will help your sales process. Your IT and development teams may have some work to do in order to “pass” the penetration test, but in the end you’ll have documentation that you can show prospective customers and partners as evidence that your network and application(s) are robust against skilled and motivated attackers.

Here are some tips on how to approach this type of penetration test:

  1. Network and Application-level Testing – The test should include both network/infrastructure and application-level testing.  For custom-developed applications, a gray-box approach that includes authenticated testing will likely give you much more meaningful results than a black-box approach where the tester is simulating an external attacker with zero credentials.  A real penetration test is more than just a scan and should include a substantial manual testing component.
  2. In-House Testing vs. Third-Party Testing – Even if your in-house penetration testing team is very talented, I would recommend choosing a reputable third-party if you would like your results to be considered acceptable by the most demanding customers. A third-party test will allow for Separation of Duties between your in-house IT and development teams and the people performing the penetration testing.  A clean report from your own in-house team will not always be sufficient because many customers will be looking for the opinion of an independent, third-party expert.
  3. Remediation – The initial test will almost always result in at least some findings.  Be sure to budget time for remediation of code and infrastructure issues and retesting of those findings.  Our proposals include remediation testing and associated report updates. 
  4. Reporting – Most penetration testers will provide a Detailed Report, which is primarily for your own internal use.  In addition, a customer-facing Executive Summary Report is an important deliverable and will be most useful for your sales process.  Contact us if you would like to see our sample reports.  Key elements of this report are:
    1. Methodology and Tools Used
    2. Scope
    3. Summary of Findings – In most cases this consists of the number of findings of each severity level that remain open, with no vulnerability details provided.
    4. (Optional) Vulnerability List – Some of your customers will want to see the list of open vulnerability titles, even if they are all Low and Best Practice rated issues.  The exact format and level of detail in these reports will vary based on your needs – we’re flexible.                                                             

Once you have an Executive Summary report from a reputable penetration tester you can share this with customers who ask about your security controls.  It should be noted that a penetration test is just a point-in-time assessment, so we recommend performing a fresh test annually or after any major changes to your application(s) or network.

Brian Shura

Brian Shura is the Vice President of AppSec Consulting. Brian's team of security professionals performs appplication and network penetration tests, mobile application security assessments, source code reviews, and a variety of other interesting security projects. Brian often teaches application security classes and has created world-class security training for developers, QA analysts, and information security analysts. Prior to his role in application security, Brian spent five years working as a developer on large Internet-facing websites. Brian is also the Project Leader for the Web Application Security Consortium's "Web Application Security Scanner Evaluation Criteria" project.

read more articles by Brian Shura

© Copyright 2017 AppSec Consulting, All Rights Reserved