by peter

Share

Cheap Penetration Testing

Cheap Penetration Testing. You have to (love|hate) it. As the owner of a penetration testing company I receive, almost daily, requests to “sharpen my pencil” or “give me your best price”. When I started back in 2010, I felt insulted but over time that feeling faded and now it is just a raised eyebrow. I only ever give my best price. I think it is fair and represents values for what we do. But there is still a drive to get the cheapest penetration testing around. Why?

With penetration testing (especially regulated penetration testing such as CREST approved test), you are purchasing the skill of a professional tester, not a toolset or a license code. So I thought it might be useful to explore what happens when you want to pay less for a test.

When I first wrote this article, it was prior to 2020. The Gig Economy was growing and a lot of people thought they could do penetration testing. It was crazy the sheer number of people who would run a pentest on your website for less than £250. I booked 4 tests with 5-star vendors on Fiverr and PeoplePerHour and asked for a pentest on a web application I had built. The app itself had multiple security issues, ranging from an exposed .git folder to a deep SQL injection. The prices for the tests ranged from £100 at the low end to £1100 at the high end. Only one provider was able to find the SQL injection but could not demonstrate how it is exploited. All of the providers identified the .git folder and only one explained why it was a security issue. None of them identified more than 50% of the issues with the web application. In contrast, one of our interns after four months of training can identify all of the issues, and exploit 80% of them. So it is true, you really do get what you pay for.

Talk To A Security Specialist

Book a free consultation with a security specialist to discuss your current concerns or security requirements.

Hedgehog Security needs the contact information you provide to us to contact you. You may unsubscribe from these communications at any time.  By clicking "Request Callback" below you agree for us to store and process your data.  For information on how to unsubscribe please review our Privacy Policy.

Cyber Security Consulting

Penetration Testing

SOC as a Service

Cyber Essentials

Vulnerability Scanning

A Tale of Cheap Penetration Testing

All names are anonymised to protect people, but this is 100% accurate.

So without further gilding of the Lilly, on to the scope. Company Theta (entirely made up) want to test a web application they have deployed within the Microsoft Azure environment. The app has five user levels, free, subscription, customer_admin, support and global_admin. It has two API functions and it all talks to an Azure database.

Our initial quote was for seven days of test time. It covers five days of continual testing and two days for documentation. We always state that if we don’t use all the days, we will only bill for what we use. We produced a proposal that detailed what we would do during that time. We would cover all of the OWASP test points discussed in the scoping call, and it would all be to CREST standards.

The contact at Company Theta came back and asked us to look at the pricing and days because Competitor Bravo had quoted only four days and were £300 a day cheaper.

Sanity Check 1: CREST testing requires a CREST member company. A check on the CREST website didn’t detail Competitor Bravo. We called CREST and asked, and they confirmed no, they were not a member company.

Sanity Check 2: CREST testing requires a CREST Registered Tester. In our proposal, we detailed the available testers suitable for the project for the client to choose their Penetration Tester. All of them are CREST registered testers. In the proposal from Bravo, no names or qualifications were detailed so it would be impossible to assure testing qualifications.

Do you really want cheap penetration testing?

Penetration Testing is an intricate art. The first thing to check is the understanding of your scope and are they delivering to you what you want? Here is a list of things I consider when I am engaging with our competitors to perform a penetration test on our connected world.

Has the company understood the scope fully? When I briefed them on the remit of the scope, have they fully understood and documented that?

Have they detailed what is out of scope? Sometimes out of scope devices are extremely important.

For example, the scope could be *.hedgehogsecurity.com but I may have explicitly put www.hedgehogsecurity.com and hedgehogsecurity.com out of scope as they are externally hosted sites.

Have they detailed the experience and qualification level of the penetration tester?

Will they provide their ISO27001 and ISO9001 certificates? To that matter, how about their Cyber Essentials Plus certificates? When you are engaging a firm to carry out offensive testing on your world, you need to know they have suitable levels of cyber and information security themselves.

Are they using in-house team members or have they outsourced the job to somewhere else?

Remember the UK DPA and GDPR here. It is really easy to end us manufacturing your data breach.

And finally, have they broken out exactly what you are paying for and listed the deliverables? At the end of the day, the tangible asset you are paying for is the report so if you need it in 3 or 5 or even 7 parts then ask for it.

As always, we are here to help. We have a very strong and ethical team at Hedgehog and if you just want to chat about what to look for in a proposal, feel free to get in touch. I can often be found on our online chat.

Stay safe and secure out there.