Penetration testing or pen testing for short is a simulation of an attack on your company’s IT infrastructure or specific assets in order to assess the security posture and discover potential flaws that could allow malicious individuals or groups to compromise the security’s main pillars (CIA: Confidentiality, Integrity, Availability). The goal of the whole exercise is to identify vulnerabilities, potential compliance breaches, test the internal IR (Incident Response) procedures and preferably improve awareness of the employees.

Why use external penetration test services?

Getting an external vendor to perform your security penetration testing assessments is a common practice for businesses across many industries. There are several reasons for this and most of them are understandable and on point. One main benefit with third party penetration testing is that companies avoid potential conflict of interest or various biases that internal security teams often have from testing the same application over and over again.

In addition, outsourcing your penetration testing efforts can offer fresh and customized methodologies that can be utilized by the external resources which usually means better quality and coverage. Majority of the organizations perform these assessments to both, check their security posture across their IT estate or a specific scope, as well as satisfy different regulatory requirements that are also usually mandating an independent security audit.

Businesses usually follow general guidelines when it comes to the vendor selection process in order to determine which service provider would be the right fit for them at a specific point in time. Analysis of a vendors technology achievements, reputation, resource pools, trustworthiness, and dependability are usual elements within the process.

Common doubts that security executives face are related to decision making around either staying with an existing vendor or reaching out to new partners to perform the security assessment and each time they are looking to have a penetration test performed they repeat this thought exercise. It is at this point that the whole process becomes even more interesting and requires both business and technology involvement in order to get the most out of the whole thing.

Retaining pen test vendors vs rotating pen test vendors

Choosing the same vendor regularly has its apparent pros and cons. The convenience of onboarding, depth of knowledge, and less preparation and planning time are common benefits of staying with a pen testing vendor. However, when a vendor is aware of your posture on a continuous basis and has insights into the whole remediation journey from the previous assessments this leaves room for negative effects. On the negative side, keeping with the same vendor limits the creativity of findings, leaves room for areas to be overlooked based on strong biases, produces predictable reporting, and using a singular vendor doesn’t keep pace with you adversaries.

When you stick to the same pen testing vendors future exercises tend to become a replica of those from the past and unless the scope changes significantly, not much value is usually added long-term. Therefore, many people and businesses consider rotating providers a best practice. This enables them to compare the quality and value but also to experiment with various vendors that are specialized for specific types of assessments (infrastructure assessments, web and API penetration testing, social engineering etc.).

Some will righteously disagree with the rotation of vendors and defend that using new vendors means having to rebuild the understanding of your business, context, and knowledge from scratch. In the case of retaining vendors this work would only be necessary during the initial conception. So what should be the right approach and how should organizations pick the right option?

As we’ve seen, the biggest issue with the rotation of providers is a constant need to rebuild insights, business context, and knowledge about the application or the infrastructure. However, staying with the same vendor can cultivate questions about the quality and diversity of assessments. Ideally, we would be able to combine these two approaches in order to get a model that can solve both problems.

So, what would the options be? Multiple vendors at the same time? That would probably cause more friction as two significantly different approaches would be involved, with different levels of access or different assessment timeframes which would, in addition, stress the internal processes and resources.

What is the ultimate solution?

Using the same vendor that has unlimited skillset pools and can maintain the understanding of our business context and application logic knowledge at the same time. A vendor that can simultaneously switch specialist focus and assess the same scope from different perspectives, as well as do it in a standardized way that we are already using.

Therefore, enabling a long-term partnership. Basically, this is something that a Pen Testing as a Service approach brings into play. A global pool of skilled researchers with a diverse set of skills across the technology stack. While still sustaining a continuous business relationship and understanding of an application, its expectations, and its technology.