Network Security Testing: The Pros And Cons Of Rotating Vendors

Security Testing

Many companies find that it makes sense to change up their security vendors for each testing phase. But, is this really necessary or even recommended by experts? Here’s what you need to know about security testing and the question of ‘diversity’ in testers.

Vendor Rotation Schemes: Why Businesses Do It

Many companies believe that social engineering, penetration testing, web app testing, and other security analysis is required at least once per year. But, what most companies also believe is the “best practice” of rotating vendors every few years. The arguments are compelling.

First, the SANS Institute issued a white paper on penetration testing that includes the recommendation to rotate firms (page 10). Some companies use customised exploits, and these exploits vary by company, so getting a variety of attack types can be good. Finally, there’s the issue of cost and quality versus value. Not all companies provide equal value for the service. The lowest quote from a vendor, for example, might only give you some idea of vulnerabilities within your organisation, but no real or clear path to tightening security.

Why You Should Not Do It

One of the downsides to rotating out security professionals is that once you find a firm that provides good service, you’re voluntarily pushing them away for an unknown. Why do that? Another disadvantage is that skill levels of staff can vary by a lot. And, while this is true even within the same company, usually, a company’s culture dictates how that experience (or lack thereof) will translate into overall service. So, once again, if you find a good company, odds are that even inexperienced staff will be better than experienced staff at a bad company.

Finally, context and background knowledge from all of your previous testing is gone. That’s right, you’ve spent all that money testing your security and switched companies. You don’t have access to previous data, unless you keep the reports from the previous company. Even then, the new company doesn’t have the experience with you that the old company has. That means you’re starting over every few years. This becomes especially problematic with penetration testing (learn more about pen testing on this page) because previous vulnerabilities are “forgotten” or lost. Progress is difficult or impossible.

Identifying A Good Security Analyst

A good security analyst has hands-on experience, and a deep background in systems or network administration. They also understand firewalls, servers, routing protocols, encryption, virtualisation, and intrusion and prevention systems.

Good analysts also don’t rely on fear to motivate companies into compliance. This is a cheesy sales tactic, and clouds the judgment of management – even when fear is warranted. Finally, good analysts are superb communicators. They get to the point, reject unnecessary formality, interoffice politics, and nonsensical processes that don’t result in finding and solving security vulnerabilities.

The Dangers Of Bad Analysts

Just as good analysts can strengthen your organisation, bad ones can compromise it. It’s easy to point out the benefits of having a security analysis, but it’s not always obvious what the risks are. Bad test design, or inexperienced testers, can create a false sense of security and convince management that a security problem doesn’t exist even when it does. This is especially problematic when doing penetration testing because the pen test involves actually performing a mock attack against your company’s servers.

Bad assessors also often lack sound IT skills, Because of this, they spend a lot of time, and convince you to spend a lot of money, on technology designed to meet specific compliance objectives rather than tech that exists solely for finding security problems and fixing them.

This creates a cycle of spending that’s wasteful and creates more overhead in managing security controls. As the business owner, you need to shift the focus to a conversation of value and capabilities, as well as technology investments that align with an overall IT strategy of mitigation and security control. In other words, where an inexperienced analyst will focus on checking items off a list, a good analyst will focus on solving actual problems that exist.

With bad analysts, you risk a real breach or attack. When it happens, the testors won’t be taking any blame because they’ve already checked off boxes on a checklist. You will feel either cheated or completely out of control – possibly both – because you’ve paid a lot of money and not gotten any real protection. Don’t let this happen to you. Spend time with a security professional that can do the job start to finish, and that will guide you through the process of finding, and patching, any security vulnerabilities your company has.

David Wray

David Wray is a certified TigerScheme SST, with 20 years’ experience in technical Internet security. Beginning his career with the Peapod Group as a Firewall Engineer, David went on to found Sec-Tec in 2000, which specialises in penetration testing and technical assessment services. David is a guest expert on LBC radio, and can often be heard providing insight into information security news and current affairs.