A penetration test (pentest) simulates a cyber attack against your systems to check for any exploitable vulnerabilities. Conducting a penetration test with a 3rd party helps discover vulnerabilities in applications that are susceptible to code injection attacks. 

Testing methods include:

  1. External testing, e.g. web application, website, the domain name server (DNS)
  2. Internal testing, e.g. malicious insider, phishing attack
  3. Blind testing, where the tester only gets the enterprise name
  4. Double-blind testing, where the business has no knowledge before an attack 
  5. Targeted testing, when the tester and security work together and give each other feedback

A third-party penetration test is composed of the following requirements:

  • Categorize vulnerabilities based on the severity
  • Generate a report of results and areas for remediation
  • Conduct penetration tests on at least an annual basis

Additionally, banks may require the following:

  • Do you perform network/server scans and penetration tests, using reputable products, to identify security gaps?
  • Is regular static code analysis, vulnerability assessments and penetration tests conducted, to ensure that at a minimum there are no un-remediated OWASP Top 10 vulnerabilities?

SOC 2 Questions and Requirements

As penetration testing relates to SOC 2 requirements, our team uses the question and control below to help customers prep for audit. 

Question: Please provide the results from all network scanning and testing performed within the past 12 months. This includes all internal and external vulnerability scans and penetration tests.

Requirement: An organization should perform application penetration tests or ethical hacking of proprietary web-facing applications. Industry standards such as OWASP should be utilized as a foundation for detecting vulnerabilities in the applications, and measuring the effectiveness of the application security controls in place.
Technical compliance should be reviewed preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by an experienced system engineer could be performed.

Penetration Testing Scope

Penetration tests will cover the following:

  1. Security of internet channel
  2. Security of cookies
  3. Password auto-completion prevention
  4. Multiple X-Frame options detection
  5. Cross-site scripting
  6. Cross-domain source file inclusion
  7. Anti-mime sniffing
  8. Credential hacking
  9. SQL injection
  10. Banner grabbing
  11. Port scanning
  12. Known service vulnerability tests
  13. Fuzz testing

Approaching Pentesting

Gray, white and black box testing varies across companies conducting pen tests. 

Why are Pentests expensive?

Primarily, the scope. Number of external endpoints, API’s, IP addresses, density of configurations to be reviewed, scoping of depth of application testing, scope of source code review, scope of internal testing regarding containers, kubernetes, data stores, etc.  All of these add up quickly and can bring considerable costs.

Different Approaches

Gray, White and Blackbox testing varies across all companies who conduct pen testing.  You have to flesh out tools, techniques and coverage for each. Re-testing and time for remediation / mitigation also plays into the cost factor.

Black Box

  • No data is provided to the tester or company conducting the testing. 
  • Most closely represents a true real world scenario.  

The attacker attempts to find holes and/or exploitable weaknesses in applications, architecture, configurations, API endpoints, and humans (via social engineering) to gain access to the environment.  Depending on the testing scope, black box testing is usually the most expensive option.

Gray Box

  • Supply a tester with limited data. In most cases, only a set of login credentials is provided.  
  • Strikes a balance between depth and efficiency. 

As most real world scenarios include the attacker doing reconnaissance, a greybox test can be efficient and authentic. Depending on scoping, gray box testing can be a balanced cost option.

White Box

  • Includes full disclosure of network and application architecture, IP addresses, and credentials.  

The test fully simulates a targeted attack with almost no system disruption. Depending on scoping, white box testing is usually the lowest cost option.

Pentest Costs

Penetration tests are priced based on scope. This includes variables like 

  • the number of external endpoints, API’s and IP addresses, 
  • the scope of configuration density,
  • re-testing, time for remediation and mitigation,
  • depth of application testing, and 
  • source code review.