There are a number of practices in the information security field that have traditionally been followed out of good intention:
- Sensitive data must be stored on-premise in a private data center, never in the cloud
- Accounts should lock out after 3 failed attempts in order to prevent brute-force password attacks
- Companies should change pentest vendors on a regular basis
In this post, we will be examining the practice of changing pentest vendors regularly.
Why rotate vendors?
The most challenging thing about pentesting is that you can never be sure if you’ve found all of the vulnerabilities. There’s vulnerabilities in software, and then there’s the vulnerabilities you know about -- it’s impossible to know if these two things match.
Naturally, in pentesting, the goal is to find as many true positive vulnerabilities as possible. There are a few levers at our disposal:
- Time spent pentesting (hours)
- Talent of pentesters (experience, skill)
- Money (presumably with more money you can pay for more hours, stronger talent)
Let’s talk some more about pentester talent.
Each pentester has their specific and unique set of experiences and skills. There are technology stacks that each pentester is more and less familiar with.
Another aspect to recognize in all of this is that historically, pentest vendors had limited resources. Your local pentest consultancy might have 5 people who are qualified to perform manual pentesting. In a case like this, it does make sense to rotate vendors in order to get “new eyes” on a piece of software to try and identify vulnerabilities, particularly any that may not have been identified before. If your current pentest vendor has a bench of 5 individuals, then if you switch pentest vendors, you’ll get new eyes on the problem and potentially end up with improved results.
But what if your pentest vendor has hundreds of experienced, skilled pentesters? What if they are rated by their peers and clients after every single test and their findings are reviewed regularly for performance?
Objective versus policy driven
There is no regulatory requirement that specifies that organizations must rotate pentest vendors.
The intention behind internal company policies that specify that pentest vendors must be rotated comes from a good place that seeks the highest quality pentesting results possible. However, this approach is outdated and while it was relevant in the 1990’s and 2000’s, is no longer applicable in the year 2023 and beyond.
In the year 2023 --
- Some pentest vendors have 100+, even multiple hundreds of qualified, experienced, skilled, peer-reviewed pentesters
- Some pentest vendors have data-driven performance evaluation mechanisms for continuously assessing the quality of their pentesters
- Some pentest vendors have delivered more than 10,000 manual pentests and encourage their pentesters to continuously learn and stay active to keep their skills sharp.
Value of a Long-Term Pentest Partner
While there is no longer any benefit to changing pentest providers on a regular basis, there are several advantages to staying with a single preferred vendor if they are meeting and exceeding expectations:
- Familiarity with Systems: A long-term pentest provider will have a deep understanding of your systems, leading to more efficient and effective testing.
- Consistency: Staying with a single pentest provider ensures a consistent approach to your pentesting, which makes it easier to track progress and improvements over time.
- Continuity: A long-term partner will have a historical perspective on your pentest data, which can be valuable in identifying trends and making strategic recommendations.
- Time and Cost Efficiency: Onboarding a new vendor can be time-consuming and costly. Cobalt makes the transition of becoming a customer easy with our intuitive online PtaaS platform.
Conclusion
Any internal company requirement to rotate pentest vendors is outdated and should be updated to reflect today’s pentest vendor landscape.
While these policies may be well-intended, they fall short of progressing alongside the fast-evolving cybersecurity sector. Instead, consistency and continuity provide two reasons to find a pentest vendor that can meet your needs as your company grows and you scale your security program.
The Cobalt Core assists businesses that are still functioning within this traditional framework, providing access to a team of over 400 skilled testers for your company's upcoming penetration tests. Additionally, we give our customers the flexibility to shift viewpoints by assigning different testers for subsequent tests.
Learn more about Pentest Services by Cobalt and see first-hand how our Pentest as a Service (PtaaS) Platform supports companies large and small to secure their assets.