Here are some recommendations on the type of penetration testing companies should employ based on their maturity.
Beginner: At this stage, we recommend using external penetration testers. Experts bring a new set of experiences and skills with industry best practices to help ease you into the process. It’s important to ensure that the results from the tests get back to the engineering team. This can be done through established defect management or mitigation channels, and leverage existing systems (e.g., Slack, JIRA) to integrate remediation into developer workflows. Establishing this process is also a good first step toward setting up a software security group, which carries out and facilitates software security initiatives that help improve overall risk posture.
Intermediate: At this stage, it’s crucial to provide penetration testers access to all available information and artifacts such as source code, design documents, architecture analysis results, and code review results, as well as cloud environment and other deployment configuration information. This will enable testers to do deeper analysis and find problems throughout the secure software development life cycle (SSDLC). Further, it’s important to set up a testing cadence, especially for high-profile applications, to ensure yesterday’s software isn’t vulnerable to today’s attacks.
Advanced: For companies that have been using penetration testing as part of their software security initiatives for several years, we recommend using external penetration testers to perform deep-dive analysis, especially for critical projects. At this stage, it’s key to validate whether skilled penetration testers can break a system, and how test results can be used for designing, implementing, and hardening new systems. Finally, it’s vital to understand how penetration testing can be performed throughout the entire SSDLC using agile methodologies and paired with other application security methods such as threat modeling and architectural risk analysis.