Penetration Testing 101: A Comprehensive Guide for Tech Leaders

What is Penetration Testing?

Penetration testing is an exercise aimed at identifying vulnerabilities, misconfigurations, and backdoors in your software. In essence, it’s an authorized attempt to spot weaknesses in your security. You can conduct penetration testing in-house or hire an external party to do it for you.

Penetration testing can be applied to various aspects of your business, including software, networks, and even the physical security of your premises. In this post, we’ll primarily focus on software, as this is where I have the most expertise.

Types of Penetration Testing

1. Black-Box Testing: The testers receive no information about the system. They attempt to gather information and breach security purely through their investigative efforts.
2. Grey-Box Testing: The testers are provided with some information, such as login details and a basic understanding of the platform. This allows them to assess the effectiveness of your authorization mechanisms and identify any potential for unauthorized access to sensitive data.
3. White-Box Testing: The testers are given extensive information, including access to the codebase. This enables a thorough analysis of the code to uncover security vulnerabilities and attempt to exploit them.

Why is Penetration Testing Important for Your Business?

Why should you invest in penetration testing? Whether performed in-house or outsourced, it requires an investment of time, resources, and money. Here are two key reasons why it’s crucial:

1. Assessing Your Security Posture: Penetration testing evaluates how resilient your software is to external attacks. Cyberattacks are inevitable, regardless of your business size. Being prepared can prevent downtime and loss of user trust if an attack occurs. A compromised platform that takes days to restore can severely damage your reputation.
2. Meeting Client Expectations: If you offer software to enterprise clients, they will likely request an external penetration testing report at least once a year as part of their technical due diligence. Providing this report is a standard industry practice and can be a critical factor in client retention and trust.

How Much Does Penetration Testing Cost?

The cost of penetration testing varies, but to give you an idea, let’s consider a typical scenario for a product company with a web-based multi-tenant platform and around 15 different user roles. Here’s a breakdown of the process and associated costs for a grey-box testing approach:

• Preparation Session: A 1-2 hour session to explain the platform, share API details, and provide domain knowledge.
• Platform Preparation: Ensuring the testers have access without compromising client data and establishing a support team for any questions.
• Testing Phase: Usually lasts about 5 days.
• Reporting: An additional few days to prepare, review, and finalize the report and management letter.

The report, which should remain confidential, details all findings and how vulnerabilities can be exploited. The management letter provides an executive summary of the findings, categorized by severity.

A penetration tester typically charges between 1500 and 2500 EUR per day. Including administrative tasks, the total cost for this exercise would be approximately 20-25k EUR.

It’s also advisable to budget for a re-test. After addressing the critical issues identified in the initial report, a re-test ensures that the vulnerabilities have been properly mitigated, giving you confidence when sharing the report with clients.

Conclusion

Conducting external penetration testing at least once a year is a common and recommended practice. It helps identify security vulnerabilities and encourages prioritizing high-risk issues. While it requires an investment, penetration testing is essential for any growing company that values its future security.