How to Follow up after a Pentest
The results of your pentest might leave you feeling like a deer in the headlights. Penetration testing, or “pentesting” for short, are ethical hacks that reveal the weaknesses of your company’s security infrastructure. These tests are often conducted in the run up to a SOC2 audit. Even though you invite these reports that enumerate your company’s vulnerabilities by hiring a pentesting firm, outlining the scope of the test, and preparing for the test, getting the results might feel overwhelming. It’s easy to get lost in the surprise of discovering what was found and forget to follow up.
However, following up is the meat and potatoes — in other words, the substance — of pentesting. This is where you have the opportunity to correct security vulnerabilities and protect against future attacks, which most likely won’t be at the hands of ethical hackers. Read on to discover what you should do to follow up after a pentest.
1. Log all the findings in a ticketing system.
You should record all the items of concern in your pentest report in a ticketing system. This will remind your staff to address them and track your company’s progress toward remediating the problems.
2. Develop a remediation plan.
Once you’ve logged all the tickets, you should create a system of addressing these concerns. Your report will indicate problems with levels of importance from low to critical. You should carefully prioritize the issues that need to be addressed and reflect this in your ticketing system. Critical issues earn this designation not only because of how easy the issue was to exploit, but also by the potential fallout if it was exploited and the likelihood of it being exploited in the future. Because of this the auditor will expect critical issues to be addressed quickly, as in a couple of weeks. Issues of medium importance can be tackled during the next development cycle, while low-priority issues can have more flexible deadlines.
3. Close out tickets after remediation.
As you remediate the items, you should close out the tickets. After all, an auditor will not only want to see that you’ve conducted a pentest, but also that you’ve followed up — and have the documentation to prove it.
4. Perform remediation testing.
Did your fixes work? Are all your security holes closed? You won’t know unless you conduct a vulnerability scan after the pentest. This will help ensure the remediation strategies you use are effective. This may be part of your pentesting company’s procedures and already be included in the cost of their work. If not, you should plan on conducting remediation testing in house. If you can document that the issues identified in the pentest have been remediated, your auditor will likely include this in his/her report. In turn, this will reassure your customer that key issues have been addressed.
5. Use the pentest report as a training tool.
Hiring an outside firm to conduct a pentest is always valuable. However, being able to conduct your own vulnerability scans in house and on a regular basis is also important. These internal scans can prevent security attacks and can better prepare your company for pentesting in the future.
So, how do you train your staff on how to do pentesting? The report you receive is a valuable training tool. Plan to spend a lunch-and-learn or a regularly scheduled staff meeting going through key pentesting findings. Discuss what could have been done to detect the issue earlier or to remediate the issue in the future. This process will help create a security mindset among your team members. As your engineers move forward with introducing new features, they should also consider what risks the software creates and how to best protect against attacks. If they know their creations are going to be pentested, it may lead them to think proactively from the outset.
6. Enhance your next risk assessment.
Periodically, your company may come together to conduct risk assessments. Your pentest becomes another data point in your analysis. Pentests can reveal the root causes of security weaknesses that affect your larger security strategy. If so, you may choose to dive into these deeper. Moving forward, you may want to enhance your monitoring, change password policies, provide more employee security training, or change elements of your development cycle.
Ideally, pentesting — and the proactive security mindset it creates — should filter into your company culture and become an ongoing part of your procedures.
Practical Assurance offers pentesting services tailored to businesses preparing for and undergoing SOC 2 audits. Contact us to get started.