Ever wonder how companies get away with selling dirt cheap penetration tests? Odds are they are outsourcing the work to offshore engineers in other countries. I’m sure there are some great penetration testing companies that are using offshore resources and I know there are great companies that are headquartered in places besides the United States, so this isn’t intended to be a derogatory post in any way. The same things that apply when making a decision about any penetration testing company you might be considering working with will apply here, too. The main difference is that some of these problems may be exacerbated (due to things like language barriers) and some things may be more difficult to verify (e.g. background checks and certifications). So let’s discuss some of these pros and cons of an offshore penetration test.
Pros of an Offshore Penetration Test:
Price – Generally speaking, the price of an outsourced penetration test will be cheaper. As with most things conducted offshore, labor costs are lower and that translates into a lower cost for the consumer. You can get paired with an engineer operating at a much cheaper rate, as opposed to a top notch engineer in the US that might run somewhere around $250/hr.
Checking the Box – Many companies request penetration tests to check the box for some compliance requirement. If this is the case and price is your primary determining factor when choosing a penetration testing vendor, this route may be for you. You will still receive a report stating you had a penetration completed which may satisfy your compliance requirements.
Quality Engineers – Unfortunately, sometimes offshore engineers can get a bad wrap as not being qualified. But some of the brightest minds and most technologically advanced institutions are in countries like India, and they are producing great security engineers. It is always worth asking for the engineers biography, including certifications, that is going to be assigned to your project to ensure they are a fit to conduct your penetration test and you’re getting the level of expertise you expect.
Cons of an Offshore Penetration Test:
Bait and Switch – When selecting a penetration testing vendor, you should always ensure that what they are selling is what you will be receiving. We recently had a client mention that they had received a contract from another security vendor and buried in the contract it mentioned that the work would be outsourced offshore. This was never mentioned during the sales process. It is always fair game to ask where the engineers sit that will be conducting your penetration test.
Timing Differences – Due to the time zone differences, a simple question about your test may take more than 24 hours to get answered. This can result in increased frustration on your end, as you might just be expecting a quick and simple answer. Time zone differences can also extend the length of testing and documentation that is required to complete a project, due to issues troubleshooting or transferring scoping information. Of course these same issues can occur in other firms that don’t offshore testing, but the risk seems to be higher with offshore solutions.
Reporting Differences – Reporting may be in a different format or explained differently than what you are expecting due to cultural differences. Sometimes language barriers can be hard to overcome for some folks which may hamper your understanding of the penetration testing results and remediation recommendations. The reports provided may not even be presented to you by the engineers that actually did the testing, which can also make the results harder to digest and accurately put into context .
At Triaxiom, all of our engineers sit in house and are employees of Triaxiom Security. Again, this is not to say that there are not highly qualified folks elsewhere, this is just a business decision that has been made to ensure we have a tightly knit team and better quality control on the services that we are offering. While other companies have chosen a different route by leveraging offshore resources, that doesn’t mean they are bad or ineffective, and a lot of times they are probably cheaper. It just means that you’ve got to put a lot more time and effort into due diligence before engaging those companies to make sure you’re going to get a thorough test, a capable engineering team, and a high quality product. Have questions or want to discuss your next penetration test? Contact us today!