Penetration Testing Services Procurement Guide

A STRUCTURED APPROACH FOR PROCURING PENETRATION TESTING SERVICES

Stage A – Determine the business requirements for testing

Overview

Evaluate the drivers for conducting a penetration test

Identify target environment

Define the purpose of the penetration test

Produce requirements specification

Stage B – Agree testing scope

Overview

Determine testing style (eg. black, grey or white box testing)

Agree testing type (eg. web application or infrastructure testing)

Identify testing constraints

Produce scope statement

Stage C – Establish a management assurance framework

The need for a management assurance framework

Establish an assurance process

Define and agree contracts

Understand and mitigate risks

Introduce change management

Agree a problem resolution approach

Stage D – Plan and conduct testing

Overview

Carry out planning

Conduct research

Identify vulnerabilities

Exploit weaknesses

Report findings

Remediate issues

Stage E – Implement improvement programme

Overview

Address root causes of weaknesses

Evaluate penetration testing effectiveness

Identify lessons learned

Apply good practice enterprise-wide

Create and monitor an action plan

Agree approach for future testing

PART I: INTRODUCTION AND OVERVIEW

About this Guide

This Procurement Guide (the Guide) provides practical advice on the purchase and management of penetration testing services, helping you to conduct effective, value-for-money penetration testing. It is designed to enable your organisation to plan for a penetration test, select an appropriate third party provider and manage all important related activities.

The Guide presents a useful overview of the key concepts you will need to understand to conduct a well-managed penetration test, explaining what a penetration test is (and is not), outlining its’ strengths and limitations, and describing why an organisation would typically choose to employ an external provider of penetration testing services.

Presented as a useful five stage procurement approach, the Guide then provides advice and guidance on how to:

Determine business requirements for a penetration test, considering the drivers for testing, the purpose of testing and target environments.

Agree the testing scope, approving testing style and type and assessing testing constraints.

Establish a management framework to assure quality, reduce risk, manage changes and problems and agree contract.

Plan and conduct the penetration test itself, which consists of conducting research, identifying vulnerabilities, exploiting weaknesses, report finding and remediating issues.

Implement an improvement programme to address weaknesses, identify lessons learned, instigate actions and agree an approach for future testing.

Finally, the Guide highlights the main criteria to consider when choosing an appropriate external provider of penetration testing services (referred to as ‘the supplier’). The six key selection criteria for choosing a suitable supplier of penetration testing services are highlighted in Figure 1 and explored in more detail in Part 4 – Choosing a suitable supplier.

Figure 1: Key selection criteria for choosing a suitable supplier of penetration testing services

Purpose

The purpose of the Procurement Guide is to help you to:

Understand objectives for conducting a penetration test;

Gain an overview of the key components of an effective penetration testing approach;

Determine whether or not to conduct a penetration test;

Assess the need to outsource the undertaking of a penetration test;

Identify what needs to be considered when planning for a penetration test;

Consider the different types of penetration tests that are available;

Learn about the penetration testing process – and associated methodologies;

Determine criteria upon which to base selection of an appropriate supplier.

Scope

This Guide is focused on helping your organisation to choose the right supplier, at the right time, for the right reasons. This Guide is designed to help organisations procure penetration services from external suppliers, but will also be useful for organisations conducting penetration tests themselves.

Rationale

Organisations have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat to key systems is ever increasing; the probability of a security weakness being accidentally exposed or maliciously exploited needs to be continually assessed – such as via a penetration test – to ensure that the level of risk is at an acceptable level to the business.

Much of the material in this Guide is based on the findings of a research project – conducted by Jerakano Limited on behalf of CREST – about the main requirements organisations have for considering and conducting penetration tests. One of the main reasons for commissioning a research project was that the customers of CREST members were often unclear about how to best procure penetration testing services.