In today’s world, keeping information safe from cyber threats is a top priority for businesses big and small. Penetration testing helps uncover potential weaknesses in online defences and is a really effective way to check vulnerabilities in our systems.
As with any effective tool to help business, penetration testing has become a commodified service offered to organisations that want security but can’t afford to grow or fund the capability in-house.
Now, it is the fundamental right of businesses to complete a penetration test in whichever way they see most beneficial. Some pen testing market offerings compete on quality. Some on comprehensiveness. Some offer it as an ongoing subscription-based service. Some lower the cost. It’s often that ‘bang for buck’ argument that attracts us to the lower-cost options with penetration testing. After all, it’s all the same, isn’t it?
Cheap penetration testing might seem like a quick, low-cost way to check for vulnerabilities, but it often creates more issues than it’s worth. One person ran an experiment on ‘Penetration Testing and Low-Cost Freelancing’; it examined the validity of pen testers charging between $30 – $400. The kicker? None of these testers found all the vulnerabilities the person running the experiment planted. Most did not even identify the two high-risk bugs.
This experiment raised a critical point: saving money upfront through cheap penetration testing can cost your organisation later. You might need to invest in more testing to find the vulnerabilities missed, or you might experience a cyber attack and have to deal with those costs.
Here are a few more reasons we at Mercury do not recommend going for cheaper options.
Cheap testing usually occurs away from Australian jurisdictions
Choosing cheap pen testing means you have likely entrusted someone offshore with company information or access to your systems. Pen testers outside Australia do not have to adhere to the strict privacy rules enforced here. Their country might also have information-gathering requirements that breach our regulations, cultural attitudes that do not value privacy, or a different opinion of security.
This mismatch in legal standards increases the chance that your data could be mishandled or even stolen, with little you can do about it. It’s hard to ensure these testers meet Australian standards. If something goes wrong, like a data breach, it’s very complicated, sometimes impossible, to take legal action because of the differences in laws between countries.
Cheap pen testers seldom apply contextual analysis
Every company’s IT landscape is different, with specific applications, configurations, and user behaviours. Without this understanding, a pen tester cannot identify all security flaws, much less provide meaningful analysis to the client and stakeholders.
Several years ago, we conducted a penetration test for a customer whose own client had performed a test. The third-party tester found a single high-risk finding: the ‘asptest’ cookie on the test environment did not have the secure flag. Whilst this parameter had no bearing on session management and was not in production, the fact that the tester defaulted to tools and not context saw a lot of unnecessary meetings and explaining on our part to re-educate.
Opting for cheap testing often means sacrificing this in-depth analysis for a generic, high-level summary. Summaries that may overlook critical nuances specific to your organisation, leaving you exposed to potential risks that a more thorough examination would have uncovered.
A cheap test might mean getting a ‘quick and dirty’ job that misses the full scope of your security needs. Using automated tools to complete penetration tests has become common, but these lack the nuanced detection a skilled professional can provide. The experiment mentioned earlier showed that only one of the freelance pen testers likely did not rely only on automated tools. They found three of the four vulnerabilities, all of which automated tools could not find.
If we apply the same generic tests to ten different companies that configure and manage their systems in ten different ways, then none of the companies being tested will see meaningful results about their actual vulnerabilities.
The pen tester might speed through the process but fail to uncover complex vulnerabilities that require a human’s analytical skills and intuition. A fast assessment that only focuses on the surface level without manually searching for issues means that the tester will likely overlook high-level problems.
Is the compromise on quality really worth it?
Cheap pen tests often use automated tools, indicating that the tester focuses on getting the job done quickly rather than delivering the highest quality reporting. They focus on throughput rather than outcome. It makes sense that someone taking on many cheap jobs wouldn’t want to spend time on each; what you pay dictates the behaviour you get from someone. But this does not make sense for your business, where you need someone who has thoroughly identified and reported vulnerabilities.
Cheap testing might also indicate that the person does not have the right training or certifications to complete the test adequately. You wouldn’t go to a surgeon if they didn’t have the proper training, so why make the same compromise on your cybersecurity?
In the experiment, two of the seven testers did not have certifications listed. However, Tester #5 had completed a Bachelor of Computer Science and various certifications such as CEH Certified Ethical Hacker and Certified Payment Industry Security Implementer. They charged $50 for the pen test and did not find any of the vulnerabilities that the experimenter had planted. So, even if someone has good certifications and experience, they likely won’t live up to them when you pay very little.
Additionally, what if these testers mess up your system and don’t know how to fix it? You should consider the risks of giving your cybersecurity work to people who may not fix their mistakes, leaving your systems exposed or improperly configured. If a legitimate vulnerability is missed and you are the subject of a ransomware event at a later date, who is liable? And does the low-quality cybersecurity provider have the insurance to cover losses?
Conclusion
When choosing to undergo a pen test, we strongly advise that you do not go for cheaper options and instead choose a service that delivers thorough analysis and reporting. Cheap services often occur offshore, where you cannot enforce Australian data privacy regulations or take legal action if the pen tester steals your data. They are also often completed by someone using automated tools who is not interested in spending lots of time on the job due to the amount you pay.
Why choose Mercury for penetration testing?
Our Australian-based cybersecurity experts can simulate real-world attacks on your systems to identify vulnerabilities and report on remediation procedures. We have extensive experience completing tests, reporting on issues and resolving problems to protect your business. Visit our Quality Assurance Services page for more details.
