Pen-testing as an industry has only been around for about twenty years. It’s evolving fast and the relentless innovation can make it hard to keep up - nothing stands still for long. Yet one aspect of the business hasn’t changed a single bit in twenty years - an archaic process that's proved stubbornly resistant to progress:
Booking a pen-test.
Take a look at typical booking process below. I wish I could say I was exaggerating here, but this is absolutely standard based on my experience as both a vendor and client. Just look at the effort the client must put in and how long they’re expected to wait:
Task 1: Shortlist vendors, draft and send 3 RFI’s = 3.5 hrs
- Wait 2 days for response from 3 vendors
Task 2: Fill out 3 scoping questionnaires = 4 hrs
- Wait 5 days chasing answers from other depts
Task 3: Read proposals and select a vendor = 2 hrs
+Wait 1 day for response from chosen vendor
Task 4: Co-ordinate diaries = 2.5 hrs
- Wait 3 days for stars to align
Task 5: Fill out ‘Permission to test’ form = 2.5 hrs
- Wait 5 days for legal to sign off
Task 6: Set up vendor on procurement system = 2.5 hr
- Wait 3 days for both accounting teams to liaise
Task 7: Calling & emailing during test itself = 1.5 hrs
- Wait 10 days for report to be written and sent
Task 8: Reading test report =.5 hrs
- 1 day wondering why the hell that took so long?
Now, add weekends into that and a client is lucky if its delivered in a month. On top of which, they’ve had to put in nearly three days of effort themselves.
The model is broken, there's simple too much faffing and not enough testing. Ask any pen-tester and they’ll tell you they hate getting dragged into this process. Ultimately, that’s what pushed us at OnSecurity to do something about it; as pen-testers, we just got sick of the faff. The online platform we built eliminates the admin. By booking tests online and viewing results in realtime - bringing overall delivery time down from 40 days to 4.
There’s still much more we could do, (and more on that in my next blog) but in the meantime, get in touch below if you want to book pen-tests without the pain.
