penetration test

zc2
zc2 used Ask the Experts™
on
Could you recommend an affordable service which would perform a penetration test against a web site and then create a comprehensive report document?
I searched  the internet and only found tools I could use to find holes/make sure there is no holes. But we need to pass a clear penetration test report
to our client as required by the contract.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

Commented:
This directory has a list of CREST accredited companies which should typically fulfil the PT requirements. Example include Pulse security,  Resolvo system but depending on your region, best that you engage the companies further to understand the services.

https://www.crest-approved.org/accredited-companies/members-providing-penetration-testing/index.html
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You can hire a company + a good first step is to setup all the many public domain tools on a LAMP server + do continuous PEN testing of all your machines + sites for free.

You can use services + they can only report their testing during a given time + can be very expensive.

Likely most or all of these services simply setup all the many free PEN testing tools available to implement their testing.

Even if you're required by law or your niche's licensing requirements to use a certified PEN testing service, still good to do your own continuous PEN testing.
btanExec Consultant
Distinguished Expert 2018

Commented:
can also look at the PT professional service published by the govt authorities such as NCSC (UK) - total of 41 as of current writing. They are CREST certified and capable of conduct CHECK.
https://www.ncsc.gov.uk/index/professional-service?f[0]=field_assurance_scheme%3A213&f[1]=field_assurance_status%3AAssured

Just to share bit of background - The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with Her Majesty's Government (HMG) policy.  Companies belonging to CHECK are measured against high standards set by the NCSC. The NCSC and CREST  work in collaboration to provide a set of examinations that are acceptable to industry and meet the requirements of private and public sectors.
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Author

Commented:
@btan, Thank you for the info. As I understand from your explanation, there is no such thing as certified and affordable pentest service?
I visited some links from the CREST list and no one even publish a price for the service, so I expect they are expensive?..
We need a pentest report, if it costs more than the project budget, that makes no sense to use it.
BTW, both we and our client are located in the US, so the UK list may be not what we need.

@David Favor, sometimes I do use some tools like metasploit, sqlmap, etc to check is there any vulnerabilities in our sites (not continuous though), but in this case we need a professionally created report, this is a something different.
Anthony GarciaDevops Staff

Commented:
Is there a specific reason/part that you want to focus on in the testing? For the most part pen testing is expensive because someone has to manually review any scan results and doing additional custom testing which can get expensive. There are usually split up into application based testing or network level testing.
There is also PCI testing which is a bit more common. This usually gives you a report that does a basic scan and gives you a report and certificate on whether you passed or not. There are different levels of PCI compliance, some that require a full pen test and others that do more of a vulnerability scan. This is more of the industry accepted standard and will likely carry a bit more weight and have a more standard type of report. This is usually more necessary when you are handling any type of payment processing.

Author

Commented:
The reason, as I explained before - to provide a pentest report to our client for whom we are developing a data processing web site. This was his requirement. The site does not involve any payment processing.
Devops Staff
Commented:
Well if you guys put the wording as a penetration test report in your contract then I am afraid it can get pretty expensive. I have been quoted anywhere from 4k-7k  dollars for a single test.  
One of the main companies I know of is trustwave. https://www.trustwave.com/en-us/services/security-testing/managed-security-testing/
The other one I am familiar with is https://www.offensive-security.com/offensive-security-solutions/penetration-testing-services/

I don't think I have ever seen the costs posted for a pen test and most of the time you need to contact them to get a custom quote. What you might be looking for is more of a checklist assessment if you client is ok with that. Usually that is much cheaper. Most vendors that offer this offer a seal that you can put on your site to show that they have scanned your site.

Mcafee offers a service like that I have used in the past.
https://www.mcafeesecure.com/vulnerability-scanning
btanExec Consultant
Distinguished Expert 2018

Commented:
The security test cost is a small price to pay to safeguard your data and systems.

Application testing. Web applications are quite complex. In most cases, the pen testing price can start from $2,000. The final decision will depend on the number of roles in the application and the aim of the testing.

Network penetration testing cost depends on those factors as well. Some of the companies provide a fixed price, and that will usually include a fix list of services available. The pricing for a network pen test starts at $4,000. Anything below the price is very unlikely to be a quality testing.

Actually the pricing is not as expensive if you see non-compliant (like to PCI) companies can end up paying a fine of $5,000 - $100,000.

Besides that, the cost of penetration testing can go up if any additional or specific tools are required. While some of the tools might be free, the person using them need special certification especially for compliance to show verifiable proof it is conducted by qualified professionals. Some of the tools might be quite pricey as well (for example, Burp Suite paid version costs $349 per user). The price for certification may vary from about $349 (CompTIA) up to around $6,210 (SANS).

As the expert has shared,  you can refer an average cost of a penetration test to vary from $4,000 to $100,000. Ultimately,  the price to pay for non compliance or a security incident due to oversight is greater as compared to the regular health test report that you received.

Remember getting the report is just the beginning, all gaps and findings must  be addressed and any major changes made to the system should undergo such testing to assure its security posture is intact.

Author

Commented:
@btan, thank you for a such detailed explanations.
What you saying has a quite much sense, since I understand that a high quality grade pentest requires a participation of  a very skilled person.
But I believe that affordable, less quality pentest services also exist, since there is at least one provider:
https://www.ibm.com/us-en/marketplace/application-security-on-cloud/purchase#product-header-top
We just want to see if there any others similar to choose from.
Like I said before, the cost of obtaining such report is very important. If it is greater than the project's budget,
that would not make sense to spend money on.
btanExec Consultant
Distinguished Expert 2018
Commented:
Sure agreed. What I suggested is more to add some human driven mind share into the running the test, it is good to have tool to automate and surfaced unknown but much of the time from my experience, it is far off if the tester are not of experienced and just run tool because it is a SOP . Your environment cannot be just be based on SOP, the test scope need to be contextualise and PT is suppose to penetrate further besides find holes, it is supposed to find how deep the hole is and how serious it is if you fall into it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial