Don’t Ditch Your Pentesters - Alternate Them!
by Ivan Novikov
Long-term relationships are generally valued over the short-term.
It applies not only to interpersonal relationships but also to the relationships between companies. In a longterm collaboration, we have time to learn a lot about each other, they get to know us and we – about them, a significant context of the interaction is evolving, etc.
This is especially true if we're talking about information security, and pentests in particular – an area connected with high-level sensitive information about the company, and trust between contractors are extraordinarily essential.
Nevertheless, in many cases, two heads are better than one. To that end, there are several important reasons to alternate pen-testing vendors from time to time. Let's review the arguments on why this is a good idea.
1. Diverse perspectives "super-power"
Different companies have different strengths: one is good at web-apps, another - in network infrastructure, third - in social engineering and so on. Each specialization is a targeted field of knowledge, requiring deep study and constant practice. It's quite difficult and expensive to hire high-quality specialists in each of these areas, and then maintain the professionalism of the staff with a continuous and even flow of projects related to each area.
Inevitably, one of these directions dominates, and the others - even if they are covered in a company at a high level - become secondary.
That's why by switching your pentest vendor, you hedge risks of the situation, where your system is only partially covered by tests at the proper level.
2. Size matters
With respect to the diverse perspectives, we should accept the fact that boutique companies do not have specialists skilled enough in every technological area, needed for specific projects. On the other hand, the strong side of such companies is their focus on a particular kind of pentest (for example web and mobile applications) and the opportunity to dedicate a tester or even a small team entirely to your project.
At the same time, big security companies' (which have pen-testers specializing in various kinds of tests) staff usually have several projects in the works simultaneously, and pentesters could potentially miss some vulnerabilities, which are difficult to discover and exploit.
3. To err is human
Pentests, like any other area of human activities, are subject to errors caused by the so-called "human factor". Pentesters who periodically repeat the systems' pentest have blurred vision for some parts of it, just like developers in their work. It becomes significant when you repeat pentest often, and your vendor's staff is very familiar with your code. Despite the best intentions, such pentesters can mistakenly skip something obvious in contrast to someone with a fresh look on the project.
Besides, pentesters may also have personal biases such as like or dislike for a technological stack or even the project itself. Surely as skilled professional pentester would do their best to complete the testing, but this personal attitude can influence the result.
4. Trust as the foundation
Trust built on long-term cooperation is priceless. However, if you don't compare the results of your highly qualified and experienced suppliers with the results of others, you will always have reasonable doubts.
You can never trust your pentest vendor entirely. This is why periodical switching between a couple of them or engaging the brand new one can help you to increase confidence in your system security level.
5. Subjective evaluation can be a threat itself
As mentioned earlier, it's always important to have "a second opinion" to prioritize risks correctly because, despite existing CVSS, evaluation of threat level is still very subjective due to the complexity of systems and context of specific business cases.
Probably all the pentesters are following CVSS standard, but it's very agile and allows a higher degree of freedom in the evaluation of vulnerabilities. That's why comparing different pentesters points of view will enable you to ensure nothing significant is disregarded because of "low importance" claimed by the pentester.
6. Money talks
To keep your system secure, can be a pretty expensive task. Therefore, in case of periodically repeated pentests, you can engage a more expensive pentest vendor for regular comprehensive security testing (for example annual) and relatively cheaper service - for testing current releases or suspicious parts of your network.
So, what is the conclusion of it all?
We assume that it's always useful to alternate pentest providers, the only question is – in what way should you do it. One approach is to engage regularly two or more vendors and alternate them. The other one is keeping your regular vendor for the longterm and introducing a fresh perspective from time to time. Another approach is to test the water with new vendors via less critical new releases while keeping the bulk of planned pentests with the existing proven vendors. Undoubtedly, the final decision depends on your systems' features and the processes of your company. Whether is it via short-term relationships or longterm, the main goal is to maximize the security level!
About the Author
Ivan Novikov is the CEO at Wallarm and a white-hat security professional with over 12 years of experience in security services and products. He is an inventor of the memcache injection and SSRF exploit class. He is also a recipient of bounty awards from Google, Facebook, and others.
Wallarm is a cybersecurity company, headquartered in San Francisco. Wallarm delivers automated cloud-native application and API security throughout the application development and deployment lifecycle. Wallarm AI-powered Application Security Platform includes FAST for CI/CD-integrated security test automation during development and Advanced WAF attack blocking and vulnerability protection after deployment.