If you’re more than 3 minutes into your search for a Web Application Pen Test, you’ve probably already realized there are thousands of available options. In Google-ing I was immediately served, “Pen Testing– $999– Call Now!” V Compelling. Much Marketing. But I get it. Web Apps often experience the highest rate of change amongst all digital assets. Every new feature– added or removed– disrupts code and creates new opportunities for vulnerabilities. Supply has definitely risen to meet demand. So when virtually every provider looks the same, what else, besides price, can you use to evaluate potential vendors?
Try these 5 questions:
1. “How will you ensure I get the right testing talent?”
Sample resumes only prove the company has talented people, not whether you’ll get them on your program. This ambiguity is almost impossible to avoid in traditional pen test shops, where full-time salaries necessitate more hours billed than on the bench. That’s why the retained testers typically have a very diverse set of skills– so they can adapt to any program. This might be a net-positive depending on your use case, but for those with niche, or complex functionality and user workflows to test, speciality trumps generality.
Luckily this problem is quickly solved with math. Bigger talent pool = higher likelihood of your perfect set of skills existing somewhere within. In this case, be sure to ask whether your provider has a mechanism for quickly matching requirements to skill and availability.
2. “How quickly can you launch?”
Traditional pen test shops that hire many top-tier specialists are likely to produce better results, but if incoming requests don’t match available skills, retaining talent can be costly. Hiring a small number of all-stars saves money, but can mean frustrating scheduling delays for customers waiting for scarce talent to become available. Those angling for long-term customer relationships will shoot for a balance between the two, often swinging more towards the latter when demand wanes. Oh to be an economist on the wall during these conversations…
But the reality is that customers don’t have to choose. When the pool is large enough, programs can launch in days, not months, with the right talent. Crowdsourced security platforms offering project-based work means available talent is virtually limitless, and always available. Of course as above, volume and variety of talent is meaningless without a mechanism to match at scale 🙂
3. “How soon can I see results?”
Time to final report is a function of testing time + results aggregation. If you’re in a hurry, some providers offer special “rush” pricing to ensure your report is prioritized above all others. This is useful if you have an audit on the horizon, but less so if any issues are uncovered, and you need to quickly fix and execute a secondary assessment for a clean report. (An add-on I would obviously name “Rush Hour 2” if given the opportunity).
So when asking your provider about “time to results,” it pays to get specific. Ask whether you can see results prior to final reporting. Providers employing manual strategies may have a tough time obliging, but this is an easy ask for platform players. For these companies, vulnerabilities are viewable in-platform as soon as they are uncovered, enabling you to fix faster, and get a clean report sooner.
4. “What does your reporting look like?”
This might actually be the first thing you ask, but here we are, at #4, and there’s really no turning back now. The reasons why organizations conduct pen tests vary by company vertical, compliance mandates, partner networks, customer requirements, etc. But most of the ‘why’ is baked into the ‘what’– the final report. It matters. It has to stand up to the needs of your most important stakeholders. Traditional pen test shops shine in this arena, but some platform-powered crowdsourced options still have a ways to go.
If you choose a crowdsourced pen test, make sure the report has been thoroughly assessed by an independent auditor to meet strict compliance requirements like PCI-DSS, or ISO27001. You shouldn’t be left guessing whether your report is fit for purpose.
5. “Can you integrate with my existing workflows?”
Traditional pen test providers often force organizations to take a siloed approach to testing. The market has moved on. Ensure your provider can connect to your existing software and security lifecycles through workflow integrations like Slack, JIRA, ServiceNow, and GitHub, so you’re not left to manually port results between finders and fixers.
6. BONUS “We’ve gone remote– have you?”
According to a recent Bugcrowd survey, 83% of businesses expect to remain at least partially remote for the foreseeable future. This impacts how they interact with employees and vendors alike. Unfortunately, this shift hasn’t been easy for many traditional providers. Developing and testing the necessary technology, workflows, and policies for ensuring secure access and streamlined management probably wasn’t on their 2020/21 roadmap (or anyone’s for that matter).
If your organization has gone remote-first, it’s worth checking whether your vendors are equally equipped. That means ensuring they have a means for vetting, monitoring, and assessing the activities and performance of a fully remote team, and are equally well-versed in handling their unique support requests.
Bugcrowd Web Application Pen Test
Bugcrowd Web Application Pen Test reduces time to talent for organizations needing rapid, reliable penetration testing. Our remote-from-the-start model has given us years of experience in quickly connecting and managing top talent from around the world, while our fully managed platform technology makes pen tests painless for any security team. Learn more about our Web Application Pen Tests on our website, or get a custom quote today!