As we have previously discussed, it is often times difficult to justify the budget and quantify the return on investment for a penetration test. While we always recommend ensuring your firm is conducting a reasonable amount of testing with a sufficient scope to maintain a stable security posture, we recognize that sometimes the budget and required level of testing just don’t always align. Today, we’ll detail strategies to reduce the overall cost of a penetration test while still achieving some of the key benefits of testing.
Strategies to Reduce the Cost of a Penetration Test
Sampling: In lieu of conducting a thorough test of every single asset, as the name implies, sampling is selecting a subset of your assets for testing. This limits the scope of the penetration test which, in turn, can reduce the cost of testing. There are a number of concerns with this approach, so it’s important to carefully consider what assets you pick. It’s a great idea to work with your penetration testing firm to vet the list of assets to be tested and provide feedback on potential concerns. Some of the key considerations when using a sampling approach are:
- Vulnerabilities may be missed because not all assets are being tested.
- Chained exploits utilizing vulnerabilities across multiple assets may be missed.
- Sampling will not satisfy most compliance requirements for penetration testing.
- You will be able to see weaknesses in certain classes of assets if you have a standardized configuration process (e.g. all your network devices are shipped with SNMPv1 enabled with the default community string).
- You will be better off doing some level of testing to start quantifying your risk than no testing at all.
Vulnerability Scanning: While 10 times out of 10 we will recommend a full blown penetration test over a vulnerability scan, there are scenarios where a vulnerability scan makes sense. For example, if you already complete annual penetration testing, but you want a more robust security program and you need a third-party to help with vulnerability management. In this scenario, you’ll be able to identify and remediate known vulnerabilities identified by the scans to help improve the results of your annual penetration test, as well as your security as a whole. In this approach, you’re actively managing vulnerabilities and your risk landscape throughout the year, rather than during a one-time assessment. If you want to get started with a security program but aren’t sure where, maybe a quarterly vulnerability scan is a nice way to start fixing some issues prior to conducting an annual penetration test.
Multi-Year Contracts: At Triaxiom, we offer multi-year discounts for any security assessment. When you know you will be conducting annual testing, why not go ahead and lock into a multi-year contract and achieve some cost savings? By having a long term engagement in place, you can strategically plan releases/upgrades/architectural changes while still planning your security assessment well in advance. It also helps you to know that your project has already been budgeted for and you won’t see any year-over-year price increases.
Multi-Assessment Discount (Bundling): Although it seems counter intuitive to add additional scope when you are looking to reduce your budget, it may make for an easier conversation with your decision makers or executive management. At Triaxiom, we offer a discount when 3 or more assessments/services are purchased together. For example, the conversation may start with: “We can get an external penetration test, internal penetration test, and a social engineering assessment for the same cost as just the external penetration test and internal penetration test, and we’ll get a better view of our risk by doing all three at the same time.”
Be Honest and Just Ask: Be honest when having initial conversations with a penetration testing firm. Let them know what your budget is and what your expectations are. Not only does this streamline the overall process but it can help not to waste your time, if the services you are looking for are way out of line with your proposed budget. It always helps the penetration testing firm understand where you are at budget wise and if they will be able to meet your testing requirements within that budget.
At the end of the day, our goal at Triaxiom is to help build a more secure world by helping each of our clients improve their security posture. We will try every way possible to achieve your requirements within your budget!