Infosec ROI: Get the Most Out of a Pen Test for Your Business

Posted on September 10, 2020 - by Sherif Koussa - in Building Your InfoSec Program

It’s easy to feel like a fish out of water when it comes to knowing which pen test is right for you — whether you handle sensitive information, are required to comply with an industry standard, or are scaling your company. We hear a lot of terms used interchangeably when talking about security needs for any growing technology business. Let’s break it down.

Like most things, penetration testing is a spectrum. On one end you have a basic, automated vulnerability scan. On the other end you have a high-assurance ethically hacked pen test. The complexity of the project, amount of time required to complete it, and financial investment are also on a spectrum. Before we get into the ROI, let’s dive deeper into what a pen test is. 

Vulnerability scanning vs. pen test 

Automated Vulnerability Scan: This is a tool that scans your website, network, or web application for known vulnerabilities (meaning these issues have been found before in other applications, the steps to fix them are known and documented by experts in the field). The results of these scans are usually sent to development teams in a PDF report, often containing a relatively large number of false positives.

Manual Penetration Testing: This is more like a manual attack simulation exercise. A trained pen tester will assess the threats posed to your website, network, or application by creating a threat model. A threat model is an exercise where the pen tester uses their deep, technical background to understand the application, its assets, and what the application exposes to the outside world, from APIs, to pages, to servers, etc. A threat model then enumerates all the ways the attacker can hack the application and test the security controls in place for their resilience against those attacks. The pen tester simulates the activities of a real hacker to break into your system — trying to access your assets and “crown jewels.” 

Often pen testers use open-source and commercial tools to help them get coverage and then develop scripts to automate particular business logic testing. Finally, this type of engagement will produce a report with evidence like screenshots, steps to reproduce vulnerabilities found, as well as guidance on remediation.

Vulnerability Scanning/Tool-Assisted Pen Testing: This is where it gets a bit murky; a pen tester will leverage automated tools (like Burp or Appscan), to scan your website, network, or application for known vulnerabilities. There is also a level of manual effort, such as verifying the results of the scanners, or a pen tester doing some light, manual pen testing, based on these results. This type of Vulnerability Scanning/Tool-Assisted Pen testing does not include the depth of manual penetration testing (as outlined above).

Confused again? That’s because this is a grey zone. A place where first-timers or leaders whose plates are too full to wrap their minds around security nuances can get lost. This grey zone can also lead to businesses paying for what they think is a manual pen test and then get something very different.

To recap, pen testing is a manual effort that focuses on the simulation of hacking an application to access the data, users, or infrastructure and then exploit it. If all vulnerabilities are found using automated tools and light_effort pen testing, it becomes a very easy job for hackers. Unfortunately, finding really good vulnerabilities requires a lot of time, even for seasoned pen testers. What makes matters worse is that hackers have plenty of time to attack, while defenders usually have a limited amount of time. Overall, it’s worth taking the time to carefully choose your security vendor.

Picture still a little unclear? Imagine you have a big presentation for a client to explain how your offer solves their problem. A vulnerability scan would be like sketching out your solution on a napkin and sliding it across the table. It gets the job done. A manual penetration test would be like hosting a product demo with positioning around your buyer’s pain points and journey, handling objections before they’re stated, with all of the decision makers in the room, after several months of development and reiteration. It closes the deal.


That’s the spectrum of pen testing. 

What about that ROI? 

Ok, so you’ve invested in a penetration test. Awesome. This will help you comply with that industry standard and prove to your partners, investors, and clients that you’re serious about security. You can show you’re doing what it takes to reduce the risk of a cyber attack, protecting their sensitive information, and your reputation.  You know where your weak spots are (or if you’re adequately covered).

Here are 3 additional ways you can get the most out of your pen test. 

1. Marketing on your website: More and more SaaS companies have a special “Security” page, similar to “Product” and “Features” that explains the security controls implemented to protect customer data. This is a place to prove the maturity of your security program by including information about the type of pen test you’ve invested in and the security practices you’ve adopted since doing so! Enterprise customers, investors, and partners will all look there, so take the opportunity to position yourself for them.

2. Sales meetings: Is your sales team getting questions from their prospects on the security controls of your technology? Help them overcome these objections before the questions are asked by developing scripts they can turn to on calls. Work with them so they understand the “why” behind your pen test and engage your marketing department to support positioning the value of your pen test. Presenting a recent certificate produced by a penetration testing as a service company goes a long way when you’re working to close any deal on the table.

Another tip here: Never give prospects an old penetration test report. If you get asked whether you’ve done a recent pen test and you send over the results from… five years ago… that won’t make you look good to a prospect.

3. Developer training: Nothing is worse than a pen test report gathering dust in a virtual drawer. Leverage your penetration test report to distribute fixes across your development team. As you do this, several things will happen. 


First, your developers will learn how to think securely as they’re coding new features. A solid pen test report will include a description of the vulnerability, how the vulnerability was found, and what steps can be taken to fix it. 


Second, your developers will fix the issues, closing those security gaps, so you can retest your application, and if all is well, get a fancy penetration test certificate that your prospects and clients will be happy to see included with RFPs, and proposals (as mentioned above). 

Third, you will figure out who on your technical team is interested in security. These security champions can not only lead by example with your developers, shifting security left, they can also support sales efforts to close deals with security-conscious clients.

These strategies will not only help you get more ROI from your pen test; they will also help build your overall security culture, through collaborative efforts across departments. Thanks to renowned management consultant Peter Drucker, we know that “Culture eats strategy for lunch.”
If you’re curious about how pen tests became a business requirement in the tech space? Check out Why are Your B2B Customers Demanding Pen Tests.


Watch our webinar on Pen Test ROI.

About the author

Sherif Koussa is an OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and Secure Coding Instructor. Sherif began his security career as the lead developer for OWASP WebGoat 5.0, and served as a mentor for SANS Institute and exam consultant for GIAC, where he authored more than 500 Java and .NET questions. He also worked for Wells Fargo Bank in the central security code review team.

100 million lines of code later, Sherif brings lessons learned from writing insecure code as a developer, along with years of experience as a security code review engineer and pen-tester, finding vulnerabilities in custom code.

Sherif is also CEO and founder of Software Secured (https://www.softwaresecured.com) and Reshift Security (www.reshiftsecurity.com). Software Secured specializes in Penetration Testing as a Service (PTaaS) and instructor-led training.

Reshift Security is a developer-first security tool that automates the process of finding and automatically fixing vulnerabilities in custom code, with a click of a button.