Is Penetration Testing and Vulnerability Assessment becoming a saturated market? Are companies open to outsourcing the services or would they prefer to build an in-house team?
Sort by:
Definitely! Different perspectives help cover a wider range of vulnerabilities.
As mentioned previously, I also do 3rd party scasn (Daily Vul - Annual Pen) in Prod and SDLC for validation that I'm not making the results look wonderful. I also perform adhoc scans internally a few times per year to further supplement the 3rd party scans. I change up 3rd party vendors every few years. This has provided me with better results as not all scans are equal as well as keeps me fresh on whats out there.
Thank You Douglas, that sounds like a great strategy. May I ask what specifically you look for in vendors, when you decide to outsource?
Here’s my general priority list. However, a failure in any of these probably negates a great score in the other categories.<br>1. Quality – Reliability of results and updated to latest threats<br>2. Price – This can be higher or lower in priority depending on appetite of the organization<br>3. Reputation – Sometimes larger customers require that I use a vendor from a list of vendors they’ve approved beforehand. <br>4. Admin - Ease of use for adding users, adding locations, or navigating the interface.<br>5. Reporting Features – Readability of reports and limited noise<br>
Check out Cobalt.io
Thank You! I Just did. It is exactly what we do as well. Please do check ZinnoX.com
Re pen testing and vulnerability assessment:
There would always be a need to outsource this part. Not all companies would need it, but if for example, you’re in fintech, then you definitely need a 3rd party to do pen testing against your system. That way, you can claim that a 3rd party has verified and certified your system secure.
However, if you do this without doing continuous testing yourself via your internal team, then the engagement with that vendor would be longer and more expensive.
For example. If you’ve never pen tested your own system and you bring in a vendor, then you would do alot of bug fixing while that vendor’s meter is running (so to speak). But if you’ve already done your part, then it’s all formalities with the vendor.
Re outsourcing in general:
IMHO, I never close my doors to outsourcing. There would always be a time wherein you have a spike (months) of urgent and important work to be done but you cant seem to justify hiring people for that because it’s just a “spike”. Then I’d outsource - regardless of it’s outsourcing the whole project or via staff augmentation. If you have an agile or lean setup, then staff augmentation may be the way to go (since it’s just like adding people to your existing team temporarily, or adding a totally new scrum team, but practise-wise, they all still follow your standards and procedures. And you still have total control and have total agility). Finding a trusted vendor may be difficult though. You may need to go through a few before finding one that works for you. But once you do, maintain a relationship. Because that would be a mutually fruitful relationship, even if you move to another company.
Very Interesting. Thank you so much. makes things so much easier.
Would anyone be willing or able to share with the group what managed service products/solutions you considered if you were considering an all or partial outsource?
A combination of both is a good approach. Sometimes outside expertise sees things differently.