Established in 2005, Bishop Fox offers offensive security testing and consulting, helping companies identify vulnerabilities in their networks. Their security programs include penetration testing, application assessments, and continuous attack surface testing (CAST).
With major cybersecurity breaches hitting the news nearly every week, companies are scrambling to secure their own networks. However, finding a vulnerability isn’t always easy until someone exploits it. We spoke with Matt Keeley, security consultant at Bishop Fox, to get an overview of penetration testing and help organizations learn how they can identify these vulnerabilities before an attacker does.
Jenn Fulmer: Which kinds of companies do you believe penetration testing is most important for?
Matt Keeley: Penetration testing is important for all companies! There is a misconception that smaller companies are not targeted by attackers because of their size. However, this is far from the truth. In fact, 55% of all small and mid-sized businesses have suffered from a cyberattack.
What are some of the biggest mistakes you see companies make when performing penetration tests?
One of the biggest mistakes we see during pen tests is setting an unrealistic scope for the engagement. Adversaries will do whatever they can to infiltrate a company’s network. Setting the scope too small or too large can greatly impair the results of the assessment.
“Adversaries will do whatever they can to infiltrate a company’s network.”
Matt Keeley, Bishop Fox
Setting the scope of the engagement too small will limit the opportunities to obtain coverage of the application and find high-level issues. On the other hand, when setting the scope too large, the pen testers have a hard time diving deeper into the code base or network and as a result, may impact the overall results by missing niche vulnerabilities, which take time to discover. This is why it is important to have a scope that’s not too small, and not too large.
Another problem we see when pen testing is thinking one pen test will be enough. It is not always possible to find all of the potential issues during a time-boxed assessment. Lastly, an engagement that only focuses on existing problems, rather than trying to find new ones, can be detrimental to the overall results.
Do many of your clients struggle with the same vulnerabilities within their networks?
Absolutely! Most of the vulnerabilities that we consistently identify can be found on the OWASP Top 10. These problems are easily introduced into the code base and can have some serious consequences if exploited by an attacker.
What should companies look for when choosing a penetration tester?
More often than not, penetration testers will work in groups to efficiently get full coverage of an application. Pen testing teams are typically much more effective than just one penetration tester who is working solo. Having a team of pen testers available usually ensures that the client has access to an array of technical skills.
When choosing a pen testing team, companies should look for three things:
- Demonstrated expertise in at least one specific area of pen testing. This should align with the company’s overall goals for the assessment.
- Clear, concise, and frequent communication. Communication is vitally important and will help both the pen test team and the client establish a good working relationship and achieve their goal. It is important to clearly communicate in the pen testing report so the client can implement any recommendations and improve their security. It’s just as important to communicate clearly during a readout to both executives and engineers to show the value gained during the penetration test.
- Quantifiable technical expertise in pen testing and computer security. Check out the company’s website; look for case studies, customer testimonials, and thought leadership or research efforts that back up any claims they make about their technical skills.
If companies only have room for one test in their budget, should they focus on internal or external penetration testing?
This will depend on the company’s overall goals and architecture. In the past five years, we have seen a dramatic transition to cloud networks, which are typically segmented. This allows the organization to separate the critical infrastructure and the internal network infrastructure, which provides tremendous security benefits.
When determining what type of pen test to pick for your company, we like to give the advice, “follow the data.” If the priority is to protect client data, figure out what systems directly interact with that data and focus there. If the company’s web application is handling the majority of the personally identifiable information (PII), that is a good starting place for pen testing as it directly interacts with client data and does not require any internal or external network testing.
How does your approach to penetration testing differ from your competitors?
Bishop Fox is known in the industry for delivering results. We foster fantastic relationships with our clients, and because of that, a large part of our business is from referrals! This process begins with scoping the project to ensure that the client’s desired objective can be achieved.
Bishop Fox has a vast number of employees with a diversity of skill sets. It is important to match up the right pen testers with each project to deliver the best results to the client. These pen testers work as a team to complete a project’s objectives whether that be finding vulnerabilities in a network or ensuring compliance for web applications.
Read next: Best Practices for Application Security