Manager’s guide to effective penetration tests management

Cooperation with penetration testers is not easy for every manager out there. They are all people, but many managers tend to ignore this fact and either look down on them or avoid direct contact. Some even ignore their voices. Obviously, communication problems lead to a decrease in productivity and social contacts quality.

In my experience, it rarely happens that hiring companies know exactly how to proceed with penetration tests and other security-related activities. I believe it would be beneficial for the whole industry, to prepare a guideline for those managers, who haven’t had experience in handling this type of workload yet, but who want to fully benefit from what they paid for. Information from this article can be successfully applied in penetration tests, bug bounty programs and other security activities.

Let’s take a deep dive into what Managers and Security Teams could do to improve the quality of their collaboration with external security firms:

  • Try to build a long-lasting relationship with pentesters from day one.

In the flood of so many low-quality pentesting companies, you should appreciate a solid team once you find it. Sometimes, a pentest needs to be performed on a project overnight so it’s good to know a friendly security team, that is always eager to help and squeeze your project into their schedules.
It’s understandable that you may not want to invest your time into creating a questionable relationship with an online company providing automated scanning services for compliance checklist purposes. But the general idea is to respect each and every opportunity for networking and creating connections.

  • Explain your expectations and be open to proposals.

You may actually not need a full penetration test and a brief vulnerability assessment may fit your needs better. That’s why it’s important to build a healthy relationship with pentesters, so they could advise you properly and allow you to save money on things you don’t really need.

  • Be responsive to pentesters.

If they ask you about your ecosystem details, tell them as much as you know so they can adjust to your needs. Tell them what’s really important for you, what types of data have high business value and what are the mission-critical components of your network/application. If you have all the paperwork in order, it’s completely fine to share your opinion on the strong and weak spots of the targeted network with them.

  • When an engagement is done, don’t limit yourself to taking a paper report with raw data

Have a chat with those folks. Ask them about their opinion on your architecture and write down all the technical advice they may have. Even though they may not know your business model well, they have seen many others in their career, so they are often competent enough to say what elements of your architecture could be improved. They’ll be happy to help if you just ask for it.
If you show them that you really care, they’ll be more than eager to spend time talking with you because they are usually tired of customers who want pentests just for compliance purposes and don’t care about actual improvements.

  • Schedule a short call with people who actually were pentesting your stuff and speak with them.

Pentesters often don’t have contact with the customer, and can’t share their actual thoughts. They’re often filtered through their manager or support agent. So if you want to learn more from them, ask for a brief call with someone who was on the actual pentesting team.

  • Keep it casual whenever you can.

Watch over your tone and don’t be passive-aggressive. When you feel like there wasn’t enough information provided to you, don’t rush sending formal letters demanding additional information. Remember that social interactions work both ways. If you’re too formal, you’ll get the same treatment from them and they’ll follow only what was agreed on in the contract and nothing beyond that. I know there may be emotions involved when someone points out weak spots in your product, but take it easy and remain calm.


Dawid Bałut 

A pentester and Bug Hunter with extensive experience who joined the security world more than half a decade ago. Since then he has worked as a Security Architect for corporations from Silicon Valley. Every day, he builds security systems, trains employees and automates all security processes.

 

 


More tips coming soon!

Comments are closed.