For someone without in-depth technical knowledge, it can be quite hard to judge whether a security test has been carried out properly, let alone to get a good idea beforehand. As I wrote in my previous blog, choosing a reputable party is very important, and this will already give you a degree of certainty regarding quality. But what aspects can you keep an eye on yourself? How do you know whether an appropriate security scan has been carried out and whether the results you have are worth anything to you?
The intake assessment: does the supplier know what he's going to do?
Manual versus automated
A manual investigation, by contrast, is far more focused and in-depth. A manual investigation mostly involves obtaining the most complete possible picture of the opportunities available to an attacker. The objective is to catalogue as many potential vulnerabilities as possible and to mitigate them entirely by means of technical and/or organisational measures. Because this is a targeted investigation carried out by specialist, it also generates much less noise in your environment. It is not necessary to attempt particular attacks in endless numbers of ways, because an experienced attacker can immediately interpret how the system works and responds and can therefore go to work in a far more focused manner. A manual test helps you answer your specific security question and gives you an idea of your vulnerability to a targeted attack.
How is a manual test carried out?
However, not all vulnerabilities are the same: for example, a ' Cross-Site-Scripting problem' can be very simple to find, but it can also be rather more embedded in the system, which means that more knowledge is required to find and exploit it. On top of that, using various vulnerabilities in combination can open up a whole new world of possibilities for the attacker. For this reason, it remains essential that the ethical hacker performing the test uses his experience and creativity in order to also be able to identify and report these complex combinations.
So, before you hire a company for a security test, always ask for an example report. This already gives you a good impression of how tests are carried out, what they test for and how the results are reported.
Lead time and price
Look closely at the correlation between price and lead time. Generally speaking, you can't carry out a good security test in one or two days. The average lead time is one to three weeks of hands-on work for a dedicated tester. If the lead time is very short, you're probably looking at an automated scan. If it is very long, you might question the quality of the implementation, or perhaps the day rate is being kept artificially low. In the end, it isn't the day rate that matters but the end result you get for the total price of the investigation. Nevertheless, many firms do compete on day rates. Don't let this throw you, focus on the desired result.
A good security test report versus a bad one
What does the ideal test report look like? A report from a properly performed security test makes clear exactly what has been done and has a number of characteristics: