We recently completed a pen-test for a new client where we found a bunch of issues which hadn't been picked up before by their incumbent provider.
No big deal, it happens.
This is not a trumpet blowing post, nor is it to expose or in anyway pick at other pen-test vendors and their resources. Food for thought, that is all.
I've worked with many, very talented testers over the years - we're all pretty similar, we have similar mindsets, use the same tools, follow the same methodologies, read similar blogs and follow like minded social media personalities.
However, from a clients perspective, there are a couple of schools of thought with pen-testing, 'we need a fresh pair of eyes' and 'we need someone who truly understands our business'.
There are clearly pros and cons to both approaches.
So the question is...
Would you like Bob, who is on first name terms with the receptionist, high fives his way through the office before taking his usual desk and connecting to the network where MAC filtering is already enabled. Bob will be having lunch with the dev or infrastructure teams, giving them a heads up on test progress and having a bit of banter that he's finding the same issues as last time.
There is nothing wrong with Bob, he's been in the game for a fair few years, holds a couple of badges and is well respected by his peers and the info-sec community. Bob has built up a good relationship with this client, the sales guys love him and always look to book him in.
Has Bob become complacent? Is he really adding value to the client? Is he doing the best job he can? Is Bob missing stuff?
What about Alice?
Alice is currently salivating in reception, she's twitching, nervous and excited. Alice has never worked for this client before, she doesn't know what technology stack they have, she's not worried as she'll quickly find out.
Alice won't be high fiving the dev team as she passes through the office, she's not here to make friends, she's here to do a job and will be eating lunch from the vending machine.
Alice is on a mission to find and expose as many vulnerabilities as she can on this engagement, she will exploit where possible and fully expose the company to the risks. Alice is determined to find the stuff that Bob has missed.
However, Alice is not heartless, she is a professional and will help the company remediate and mitigate against what she's found. Alice doesn't mind if she never returns to this office.
For some clients, they have little option but to use the same pen-test vendor, they are contractually tied to use them as a preferred supplier for at least a year or three. For many this will be part of the standard tender process, we've used these guys before, we have a good discount, they understand our business etc. We love Bob.
Final thoughts
I urge clients to challenge their incumbent pen-test providers, ask for Alice instead of Bob from time to time. Revisit your existing procurement process, bake in some flexibility to use other providers. Always question the value you're getting, not just 'bang for buck', but look at the entire engagement process and in particular the results you're seeing.