Oct 1, 2014

Penetration Testing Pitfalls

Why is running a Penetration Testing business so difficult? I've encountered a number of Penetration Testing companies during my career. I worked as a Pentester, I have engaged with some Pentesting companies as competition and I've experienced companies picking one Pentesting company from a bunch of competing businesses.

Running a Pentesting business is no easy thing to do. There are some common pitfalls Penetration Testing companies should try to avoid to become or stay successful.

Image courtesy of https://www.flickr.com/photos/brandongrasley/8227882239

In this post I will talk about these pitfalls and about potential mistakes Penetration Testing companies will make.

Overemphazise Technical Details

Technical details are important, right? After all, Pentesting requires deep technical expertise.

Yes, technical skills are fundamental to good testing. It can be compared with a hygiene factor from motivational theory. Technical skills are expected to be in place and simply have to be there. You will quickly and utterly fail if they are not. However, what is easily neglected is the fact that the report and the final presentation are your main interfaces to the client. Most clients I have engaged with were more interested in the business-side of things than in the technical gimmicks of the report. Remember that the client is more interested in fixing a problem and turning his attention to things that earn him profits rather than in extracting remediation recommendations from obscure technical reports.

Underestimate Training

Get some experience in ethical hacking and you will do fine in a career in Penetration Testing. There are many ways to get in, but once you're in, you'll stay in. Conducting Pentests should be enough training for testers.

Sure, there is always something to learn in an engagement. But sometimes a tester has to get a broader view on the overall domain or has to refresh his skills in mobile testing if he hasn't done so in a while. Pentesting is a knowledge intensive job. The half-life of knowledge and skill is particularly short in Pentesting due to the frequency of which tools and exploits are being released. Used with surgical precision, Pentesters are like a scalpel: and like a scalpel they need to be constantly sharpened.

Grow Too Quickly

Growth is good. How can growth be bad to a company? More growth equals more revenue which equals more profits, right?

Growth is great. However, uncontrolled growth might not be. There are some potential drawbacks for Penetration Testing companies growing too rapidly. One has to understand the nature of Pentesting engagements to see why growth could harmful in certain scenarios.

Pentesting engagements tend to be comparatively short. Of course there are many kinds of engagements but comparing Pentesting projects with other security related projects, say a Governance or Identity-Management project, Pentesting tends to be shorter. I've seen 100 days of governance or risk management projects being sold regularly but rarely a Pentesting engagement in these dimensions.
Growing a constantly chargeable workforce becomes challenging with short-termed projects. It works well until a certain magic threshold is reached (my best guess is somewhere between 20 and 40 employees) but then it can quickly boomerang in the opposite direction. Image just hiring 5 more Pentesters and suddenly there are no more projects. Some will say that this is a general problem in consulting-related businesses but it still strikes me as especially relevant for Pentesting. It is rather difficult to discover a Pentesting business which has more than 50 employees. Most of the Pentesting companies out there are specialized and have a limited number of testers or we are talking about big consulting companies offering Pentesting as one service from a broad security portfolio.

Using The Right People In The Wrong Places

We have this hardcore hacker. He cracks every system within hours. He can also deliver the report to the client and present it.

People have varying strengths and weaknesses. Use them wisely. Not everyone who is technically capable is also strong in his/her presentation skills. On the other side of things, if you have Pentesters with the "nerd" factors, you can promote them cleverly instead of stigmatizing them. Being nerdy can nowadays be an advantage for your personal of professional image if used in the right way. Someone fulfilling the stereotype of a socially-awkward hacker may be believed to have better technical skills than someone perfectly groomed running around in his Hugo Boss suit.

Grow your company in a controlled manner.
Improve your reports and presentations. Make them more client-friendly.
Use your testers cleverly to fully utilize their strengths.
Keep your testers trained and up to date.

No comments:

Post a Comment