Penetration Testing and Meeting Compliance - What you need to know

At Pragma, we have clients coming to us for penetration testing services because they are required to comply with the regulations in their industry. It is one of the more common reasons to undergo one, as these regulations require routine penetration test by a third-party for [state reasons].

In this post, we gather Pragma’s security experts to answer common questions on penetration testing and how we help in meeting compliance.

First, what exactly is penetration testing?

Penetration testing is when the tester acts as the ethical hacker to access the application externally. The objective is to detect undiscovered vulnerabilities using different methods in bypassing security mechanisms that is set in the application.

Does my company need a penetration test?

A company should undergo a penetration test regularly (at least annually). This is to either catch new vulnerabilities that may be introduced when patching the system or existing undetected vulnerabilities. Penetration test should also be done when new features are being deployed to the system or if there were to be any new configurations added or changed like change of firewall rules or changes in permission set for admin/member roles.

What type of penetration testing is performed that satisfies the requirements of regulators?

For web applications, white and grey box testing can be done whereas for network testing it can be a black box test. White box means the tester has full information on the application, grey box means most information are known and black box is where the tester has no idea of the system at all.

How long will the test take?

The length of the test normally depends on the scope of what is being tested upon (i.e. the amount of web application features to test, the number of devices to test) and the engagement time between client and tester (i.e. in answering inquiries).

What is the cost for penetration testing?

The cost depends on the scope of items to be tested (i.e. network devices, functions and parameters on web applications), the complexity of the network infrastructure or the complexity of the web application use cases and whether the testing can be done remotely, or it has to be done onsite.

What do I get at the end of the test?

The report shows the Common Vulnerability Scoring System (CVSS) score, vulnerability types found (i.e. critical, high, medium, low), description of the issues and the remediation steps to be taken. CVSS is an industry standard used to evaluate the severity of the potential vulnerabilities found.

How do I select a suitable penetration testing service provider?

• List the scope of items your company need to it to get tested
• Look, compare, and query the service provider if they are proficient in testing what you need
• Check if they or the penetration testers going to be deployed are CREST certified
• Ask for a sample report from the service provider to see the information you will receive at the end of the test

Iam not required to meet compliance requirements, is it still worth getting a penetration test?

Penetration test is always worth to be done in gaining valuable potential insights of the system. There could always be an existing weakness of the system that is being overlooked or new bugs that is introduced into the system.