Validating Fixes 30 Days After Your Pen Test – Our Retesting Policy

by Sarah Harvey / January 10th, 2020

Every penetration testing firm has unique processes for conducting penetration tests. While there are standards that influence penetration tests, like the OWASP Top Ten, the Open Source Security Testing Methodology Manual (OSSTMM), and the Penetration Testing Execution Standard (PTES), the truth is not all penetration tests are created equally. When hiring a firm to conduct your penetration tests, having a thorough understanding of their methodologies is imperative. How will the firm you’ve hired help you remediate findings? Will they offer detailed insights and strategies for remediation? Will they re-validate what you’ve remediated? A firm focused on advanced, personal service will do exactly that. That’s why KirkpatrickPrice has a 30-day retesting policy.

What is Penetration Testing?

Penetration testing is a form of permission-based ethical hacking in which a tester attempts to gain access to an organization’s assets, including people, systems, and locations. The purpose of pen testing is to find vulnerabilities that could potentially be exploited by a malicious hacker as part of your ongoing risk management practices. However, pen testing firms who are committed to helping their customers get the most out of their investment know that delivering a penetration test report is only the first part of the service. An exceptional pen tester mindset focuses on providing guidance to remediate the findings, and ultimately, help their client improve their security methods.

KirkpatrickPrice’s Commitment to Your Security Needs

When prospects approach us about undergoing a penetration test for the first time, or perhaps they’ve had a bad experience with another penetration testing firm in the past, they’ll question how KirkpatrickPrice’s pen testing methodologies will prepare their organization against the advancing threats of today’s cyber landscape. It’s simple. We use tried-and-true methodologies that have helped keep our clients secure, including:

Information Gathering
Reconnaissance
Discovery and Scanning
Vulnerability Assessment
Attack and Exploitation
Final Analysis and Review
Implement the Remediation Guidance
30-Day Retesting Period

Benefits of Retesting

KirkpatrickPrice is well aware that the security of your organization is not something to take lightly. This is why when we conduct our quality, thorough pen testing services, we do everything possible to help you get the most out of your engagement, including providing free resources, access to Information Security Specialists, and a 30-day retesting period to test the changes you make after the engagement concludes. What are the benefits the 30-day retesting policy?

According to KirkpatrickPrice pen tester, Stuart Rorer, “The 30-day retesting policy provides our clients with the ability to have any issues, previously discovered in the pen test, reassessed to see if the remediations have been effective.” This means that when you remediate vulnerabilities over this 30-day retesting period you could:

Save your organization from a costly, embarrassing data breach
Demonstrate your organization’s commitment to security
Prove to stakeholders that you’re willing to do everything possible to protect their investments
Ensure the security of a product before you take it to market
Give your customers peace of mind

For those who may argue that 30 days post-exploitation isn’t enough to remediate vulnerabilities, Rorer makes a critical point: “Having a pre-determined test window also provides the client with a level of accountability, and helps set a timeline goal to have issues remediated. The longer the vulnerabilities remain present, the more likely they can be exploited.” In addition, many compliance frameworks require that you remediate high findings and also test your system after any significant changes.

The 30-day retesting policy at KirkpatrickPrice is optional, but we encourage all of our clients to take advantage of the benefits of re-testing, implementing changes, and validating the security of their networks and systems. After all, a data breach is only a matter of when, not if, it will occur. Make sure your organization receives quality, thorough pen testing services – talk to an expert today. We’re here to help!