Tech Insight: 3 Factors To Assess Before Doing Your Own Penetration Testing
What you need to know about bringing penetration testing in-house
November 20, 2009
With the veil of mystique and enterprise concerns surrounding penetration testing gradually being lifted, enterprises are realizing how a quality, comprehensive pen test can supplement their security efforts and find holes before attackers do -- with the added benefit of meeting PCI DSS requirement 11.3. Now many enterprises are starting to consider whether they should perform pen testing in-house themselves.
The average IT professional views pen testing as a black art. It's an activity often seen as dangerous and counterproductive to an operational environment where testing could impact business and cause downtime, but it's a practice gaining popularity thanks to the annual pen-testing requirement by the PCI Data Security Standards (DSS) and publicity surrounding the recent purchase of the Metasploit Project by Rapid7.
Deciding whether to pen test in-house or outsource the job is a decision not to be taken lightly considering it can cost anywhere from $5,000 to $50,000 or more, depending on the size of the target, scope, and reputation of the testing vendor. A pen-testing product, meanwhile, costs anywhere from a few hundred dollars for a narrowly focused tool to $30,000.
While saving tens of thousands of dollars by purchasing your own pen-test tool sounds good at first, with internalizing the work has its own costs. The investment in human resources, training, and software must be weighed against the potential savings from shelling out big bucks for a third party pen test. Let's examine each:
Don't forget about retention issues that can accompany adding increased responsibilities on current employees and training both new and current employees. Competent pen-testing skills are very valuable right now, and you'll need to make sure your pen testers' salaries are reasonably competitive with how much they could make elsewhere.
It's not uncommon for employers to draw up a contract that says the employee must repay part or all of the training expenses if he chooses to leave for another employer within a specific amount of time.
Once you've answered the question of whether performing in-house pen testing is cost-effective, you still need to answer the ever important question: Can your team perform a comprehensive test that is objective and doesn't suffer from a myopia that often occurs when the tester is too close to the target organization?
The upside of performing pen testing with an internal team is they are familiar with the organization, the network, where the critical assets are, and the people. They may end up finding chinks in the company's armor quicker than a third-party pen tester because they have the familiarity and will know where to look first.
But the trade-off is an internal pen-testing team may be too familiar and comfortable with the target environment and could overlook common issues that someone from the outside may not. Personal relationships may even impact whether they target specific users for social engineering exercises, like a simulated phishing attack.
Making the decision to staff, train, and maintain an internal pen-testing team is a big one that can have a serious impact on the security of your company -- more than just checking off "YES" on a PCI Self Assessment Questionnaire. It's a good idea to hire a third-party pen-testing firm to follow up on the initial pen tests by the internal team to make sure they're doing a solid job -- and every couple of years thereafter to ensure results are consistent.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.