penetration test

Could you recommend an affordable service which would perform a penetration test against a web site and then create a comprehensive report document?
I searched  the internet and only found tools I could use to find holes/make sure there is no holes. But we need to pass a clear penetration test report
to our client as required by the contract.
LVL 20
zc2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
This directory has a list of CREST accredited companies which should typically fulfil the PT requirements. Example include Pulse security,  Resolvo system but depending on your region, best that you engage the companies further to understand the services.

https://www.crest-approved.org/accredited-companies/members-providing-penetration-testing/index.html
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
You can hire a company + a good first step is to setup all the many public domain tools on a LAMP server + do continuous PEN testing of all your machines + sites for free.

You can use services + they can only report their testing during a given time + can be very expensive.

Likely most or all of these services simply setup all the many free PEN testing tools available to implement their testing.

Even if you're required by law or your niche's licensing requirements to use a certified PEN testing service, still good to do your own continuous PEN testing.
btanExec ConsultantCommented:
can also look at the PT professional service published by the govt authorities such as NCSC (UK) - total of 41 as of current writing. They are CREST certified and capable of conduct CHECK.
https://www.ncsc.gov.uk/index/professional-service?f[0]=field_assurance_scheme%3A213&f[1]=field_assurance_status%3AAssured

Just to share bit of background - The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with Her Majesty's Government (HMG) policy.  Companies belonging to CHECK are measured against high standards set by the NCSC. The NCSC and CREST  work in collaboration to provide a set of examinations that are acceptable to industry and meet the requirements of private and public sectors.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

zc2Author Commented:
@btan, Thank you for the info. As I understand from your explanation, there is no such thing as certified and affordable pentest service?
I visited some links from the CREST list and no one even publish a price for the service, so I expect they are expensive?..
We need a pentest report, if it costs more than the project budget, that makes no sense to use it.
BTW, both we and our client are located in the US, so the UK list may be not what we need.

@David Favor, sometimes I do use some tools like metasploit, sqlmap, etc to check is there any vulnerabilities in our sites (not continuous though), but in this case we need a professionally created report, this is a something different.
Anthony GarciaDevops StaffCommented:
Is there a specific reason/part that you want to focus on in the testing? For the most part pen testing is expensive because someone has to manually review any scan results and doing additional custom testing which can get expensive. There are usually split up into application based testing or network level testing.
There is also PCI testing which is a bit more common. This usually gives you a report that does a basic scan and gives you a report and certificate on whether you passed or not. There are different levels of PCI compliance, some that require a full pen test and others that do more of a vulnerability scan. This is more of the industry accepted standard and will likely carry a bit more weight and have a more standard type of report. This is usually more necessary when you are handling any type of payment processing.
zc2Author Commented:
The reason, as I explained before - to provide a pentest report to our client for whom we are developing a data processing web site. This was his requirement. The site does not involve any payment processing.
Anthony GarciaDevops StaffCommented:
Well if you guys put the wording as a penetration test report in your contract then I am afraid it can get pretty expensive. I have been quoted anywhere from 4k-7k  dollars for a single test.  
One of the main companies I know of is trustwave. https://www.trustwave.com/en-us/services/security-testing/managed-security-testing/
The other one I am familiar with is https://www.offensive-security.com/offensive-security-solutions/penetration-testing-services/

I don't think I have ever seen the costs posted for a pen test and most of the time you need to contact them to get a custom quote. What you might be looking for is more of a checklist assessment if you client is ok with that. Usually that is much cheaper. Most vendors that offer this offer a seal that you can put on your site to show that they have scanned your site.

Mcafee offers a service like that I have used in the past.
https://www.mcafeesecure.com/vulnerability-scanning

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
The security test cost is a small price to pay to safeguard your data and systems.

Application testing. Web applications are quite complex. In most cases, the pen testing price can start from $2,000. The final decision will depend on the number of roles in the application and the aim of the testing.

Network penetration testing cost depends on those factors as well. Some of the companies provide a fixed price, and that will usually include a fix list of services available. The pricing for a network pen test starts at $4,000. Anything below the price is very unlikely to be a quality testing.

Actually the pricing is not as expensive if you see non-compliant (like to PCI) companies can end up paying a fine of $5,000 - $100,000.

Besides that, the cost of penetration testing can go up if any additional or specific tools are required. While some of the tools might be free, the person using them need special certification especially for compliance to show verifiable proof it is conducted by qualified professionals. Some of the tools might be quite pricey as well (for example, Burp Suite paid version costs $349 per user). The price for certification may vary from about $349 (CompTIA) up to around $6,210 (SANS).

As the expert has shared,  you can refer an average cost of a penetration test to vary from $4,000 to $100,000. Ultimately,  the price to pay for non compliance or a security incident due to oversight is greater as compared to the regular health test report that you received.

Remember getting the report is just the beginning, all gaps and findings must  be addressed and any major changes made to the system should undergo such testing to assure its security posture is intact.
zc2Author Commented:
@btan, thank you for a such detailed explanations.
What you saying has a quite much sense, since I understand that a high quality grade pentest requires a participation of  a very skilled person.
But I believe that affordable, less quality pentest services also exist, since there is at least one provider:
https://www.ibm.com/us-en/marketplace/application-security-on-cloud/purchase#product-header-top
We just want to see if there any others similar to choose from.
Like I said before, the cost of obtaining such report is very important. If it is greater than the project's budget,
that would not make sense to spend money on.
btanExec ConsultantCommented:
Sure agreed. What I suggested is more to add some human driven mind share into the running the test, it is good to have tool to automate and surfaced unknown but much of the time from my experience, it is far off if the tester are not of experienced and just run tool because it is a SOP . Your environment cannot be just be based on SOP, the test scope need to be contextualise and PT is suppose to penetrate further besides find holes, it is supposed to find how deep the hole is and how serious it is if you fall into it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
penetration test

From novice to tech pro — start learning today.