Pen Testing Results
You’ve found a pen testing company, gone through your scoping exercises, set up test environments and accounts, run through the test, and received the report. So far, so good, but you’ve not got anything of value out of the whole process.
Any pen testing programme only has value if you can take useful actions based on the report. To do that you need to know a few things: what’s the effort to remediate the finding, what’s the impact if the finding is exploited, and what is the threat that would want to exploit it? Where it’s a third-party application, it’s often a relatively simple case of discussing patching with the ops team. When you’re looking at an in-house developed system, things can be more complex.
Some pen testing companies will provide stock remediation advice against findings and standard priorities, others will work with you to understand the full context of your systems and provide bespoke advice on remediation (this is often referred to as purple teaming).
For an in-house system you’ll need to work with your development and operational team, and understand how they can either deploy a patch, or a new version, to resolve a finding. Understanding the effort required to remediate a finding is absolutely vital. When costing out remediation you need to consider costs, the time it will take development, the time it will take to deploy the remediation, and whether it will lead to any downtime.
The best way I’ve found to do this over the years is as simple as sitting down in a session with the risk owner (usually a product or project owner), their technical team, and a security representative. Make it clear that it’s the decision of the risk owner whether to remediate or not, given the potential impact and the effort, and that security and the technical team are just there to advise on risks and costs. If the risk owner isn’t comfortable being accountable due to the level of risk for a finding, and the effort to remediate is greater than can be met, then the risk should be escalated until either someone can accept it, or provide the extra resource needed.
This approach requires a mature risk management framework, someone in-house to provide the mediation and advise, or someone external to provide the purple teaming layer on top of the pen test red teaming. It’s worth discussing with your pen testing company if they can provide this service, or you can always work with a consultant to build out a full pen testing programme including the risk assessment and remediation piece.