Software and IT Infrastructure Security Testing
Setup Plan with Time and Costs
ScienceSoft has been providing cybersecurity services for 18 years.
Security Testing: Essence
IT security testing is aimed to detect and analyze security vulnerabilities in software, IT infrastructure, security policies (including access control, communication, incident response, disaster recovery policies etc.) and procedures (user authentication, sensitive data encryption and disposal, etc.). Depending on a company’s specific needs, in-house or outsourced security testing professionals carry out vulnerability assessment, penetration testing, security code review, compliance testing or security audit. Regular security testing is the best practice for a company to ensure compliance with cybersecurity regulations and enhance its IT security posture.
With many industry- and company-specific considerations, a cybersecurity testing set up plan asks for a case-by-case approach. ScienceSoft has outlined commonly applicable guidelines for an in-house and outsourced IT security checkup, based on our experience in security testing.
1. Security testing planning
Duration: 2-3 weeks.
- Assigning a security testing manager to plan and oversee the security testing project.
- Defining the scope of cybersecurity testing: the targets (networks, applications, servers, security software, physical security); the testing types and timeframe. Depending on the testing needs, one or several of the following security testing types may be planned:
Automated extensive identification, analysis and prioritization of software and IT infrastructure vulnerabilities.
Detection and in-depth exploration of software and IT infrastructure vulnerabilities and their impact on the company. Simulation of life-like cyberattacks.
Security code review
Analyzing application source code to detect security flaws, such as encryption errors, buffer overflow, XSS and SQL injection vulnerabilities.
Checking if a company’s information security policies as well as the security controls in software and IT infrastructure meet regulatory standards (PCI DSS, HIPAA, GLBA, GDPR etc.)
A full-scale assessment of a company’s cyber defense. IT infrastructure and software security tests along with evaluating the information security policies, security awareness of the staff, physical hardware access.
ScienceSoft’s tip: A company should plan at least 1 penetration test per year and 1 vulnerability assessment per quarter. Ideally, a security test should follow any major change in software and/or IT infrastructure.
- Estimating the budget of the security testing project.
- Designing the data handling policy: collecting, storing, sharing, and deleting test data.
- Planning a mitigation strategy for possible risks related to the IT infrastracture and software security testing (e.g., unintentional data exposure, server or network outages, productivity loss).
- Optimizing the plan to ensure against redundant efforts and expenses.
2. Security testing preparation
The sourcing model that a company chooses defines the preparation stage.
In-house security testing preparation
Duration: up to 12 weeks if it is necessary to hire and/or train security testing professionals.
- Building a qualified team knowledgeable about the security techniques and tools to be applied.
- Holding additional training, if needed.
- Selecting security the testing approach and techniques: e.g., internal or external, black box, gray box or white box testing, destructive (SQL injections, DDoS attacks, buffer overflow, application level floods, brute-force attacks, etc.) or non-destructive (network mapping, OS fingerprinting, social engineering, network sniffing, vulnerability scanning) techniques.
- Selecting appropriate open-source or/and commercial security testing tools:
Host-based, network-based, wireless, application, database scanners.
Network protocol analyzers, network mapping, password recovery tools, fuzzer, web crawler,dynamic application security testing (DAST), etc.
Security code review
Static application security testing (SAST).
Sensitive data finders, automated evidence collection tools, compliance scanners.
Computer-aided audit tools (CAAT).
- Deciding if test environment is needed. This can be a reasonable solution if the security testing team applies intrusive techniques that may damage production environment or disrupt critical business activities.
- Providing the team with the required access to the target assets and data for security test execution.
Vendor selection for outsourced security testing
Duration: up to 12 weeks (to search, study and compare the security testing providers on the market).
Choosing a provider to take over the security testing process in your company, you may be guided by:
- Credentials and testimonials. Certifications (ISO 9001, ISO 27001, CEH, etc.) and real people reviews serve as tangible quality proof.
- Security testing team expertise: preferably dedicated specialists skilled in automated and manual techniques.
- Comprehensive deliverables. Security testing reports must include a sound analysis of identified vulnerabilities and their causes, as well as offer remediation guidance for each finding.
3. Security testing launch and execution
Security testing launch and execution will differ depending on the testing scope and, consequently, on the testing type:
Duration: 1-2 weeks
- Running automated scans on the target software, networks or devices to identify existing vulnerabilities.
- Manual review of scanning results to eliminate false positives.
- Analyzing detected vulnerabilities and their causes, evaluating their severity.
- Reporting on the results with recommendations on how to fix the vulnerabilities.
Duration: 1-3 weeks
- Vulnerability scanning: identifying exploitable vulnerabilities.
- Vulnerability exploitation: simulation of true-to-life attacks.
- Analyzing the exploited vulnerabilities and their impact on compromised software and IT infrastructure, as well as on the company’s business in general.
- Reporting and remediation guidance.
Security code review
Duration: 1-8 weeks
- Automated scanning of the application source code.
- Manual review.
- Analyzing detected vulnerabilities.
- Reporting on the findings and recommendations on enhancing application security.
Duration: up to 10 weeks
- Running vulnerability scanners, reviewing application source code using penetration testing techniques to find security flaws in software and IT infrastructure.
- Defining deviations from industry regulatory standards and advising on their mitigation.
- Report on Compliance and/or Attestation of Compliance.
Duration: up to 14 weeks
- Analyzing security policies and procedures.
- Interviewing employees to assess their security awareness.
- Incorporating vulnerability assessment, penetration testing, code review and compliance testing, depending on the audit scope.
- Examining physical access to hardware.
- A report with detailed description and analysis of all findings as well as recommendations how to fix revealed security gaps.
Consider Professional Security Testing Services
With 18 years in cybersecurity services and over 150 implemented security testing and consulting projects, ScienceSoft offers both end-to-end security testing and expert advice for an in-house security team.
Security testing consulting
- Analyzing your company’s cybersecurity policies and infrastructure.
- Advising on the testing scope (the targets and testing types).
- Security testing cost and ROI calculation.
- Developing IT security testing strategy and plan.
- Recommending optimal tools for your information security testing project.
- Defining the most advantageous sourcing model.
Security testing outsourcing
- Defining the security testing needs and scope.
- Security testing strategy.
- Analyzing the assets to be tested (e.g., networks, servers, application front-end and back-end).
- Vulnerability assessment, penetration testing, compliance testing and security audit, depending on your company’s goals and needs.
- Combining advanced automated and manual techniques for a comprehensive IT security assessment.
- Detailed vulnerabilities report for your IT and information security professionals and executive summary report for your business team.
- Vulnerability remediation guidance.
When I reached out ScienceSoft, they were immediately responsive to my inquiry, they provided a very competitive quote quickly, and they were able to schedule the testing shortly after our acceptance of the quote. ScienceSoft’s security testing team performed exceptionally well and gave us confidence that our application posed no serious vulnerabilities. Cooperating with ScienceSoft was a terrific experience, and we will definitely consider them for our future security testing needs.
Ed Gordon, VP Products, 5 Dynamics (Simpli5)
The composition of a cybersecurity testing team varies in each project and is tailored according to specific testing scope and requirements. Here is a list of professionals who may be involved in different types of security testing.
Security testing manager
- Plans a security testing project depending on the negotiated scope.
- Manages security testing process and the team.
- Supervises security testing execution.
- Communicates with the customer to coordinate a security testing project.
- Runs vulnerability scans on applications, networks and devices to identify vulnerabilities.
- Performs a manual review of the findings to exclude false positives.
- Evaluates the severity of discovered vulnerabilities.
- Analyzes the root causes of the vulnerabilities.
- Reports on the findings and advises on remediation steps.
Penetration test engineer
- Locates and explores exploitable vulnerabilities.
- Identifies entry points and methods hackers can use.
- Develops penetration scripts and tests.
- Simulates hackers’ attacks on applications, networks or devices.
- Evaluates the impact of detected security breaches on the business.
- Provides recommendations on security risks mitigation.
Security code review analyst
- Performs a manual analysis of application source code.
- Selects or develops automation tools for code review.
- Identifies vulnerabilities in the code.
- Recommends remediation actions.
IT compliance specialist
- Reviews a company’s IT security policies and procedures, evaluating their compliance with regulatory standards.
- Investigates if all mandatory software, network, and hardware security controls are in place and meet regulatory requirements.
- Documents cybersecurity compliance deviations.
- Offers mitigation guidance.
- Collaborates on compliance documentation.
IT security auditor
- Reviews a company’s security policies and procedures.
- Verifies employees’ security awareness.
- Performs security assessment of software and IT infrastructure.
- Evaluates the effectiveness of security controls.
- Detects gaps in security architecture and procedures.
- Provides a comprehensive report of the audit and a security risk management plan.
Security testing management and implementation are in-house
- Less risk of sensitive data leaks or vendor incompetence.
- In-house testers are knowledgeable about their company’s processes and IT environment.
- In-house testers can quickly launch a new security testing project or conduct re-testing after remediation.
- Security testing skills may be limited.
- The need to update security testing toolkit and hold training for the testers.
- Salaries and maintenance cost.
Security testing management and implementation are completely outsourced
- Solid experience and best practices: a wide choice of advanced cybersecurity testing technologies and skills.
- Cost effectiveness and reduced TCO.
- The vendor takes over planning, preparation and implementation of security testing project.
- An independent expert view: impartial insights into your company’s security policy and infrastructure.
- It may be complicated to choose a reliable security testing vendor among the multitude of offers on the market.
- Exposing your IT infrastructure to a third party may be risky, unless you deal with a reliable vendor.
- The security testing team needs time to get familiar with the specifics of your software and/or IT environment.
Security testing management is in-house; the test team is completely or partially external
- Flexibility: scaling up and down, depending on the testing needs.
- Control: the internal security testing manager overviewing the testing process.
- It may be difficult to find a well-versed expert able to design security testing strategy, ensure smooth cooperation and monitoring.
Among multiple security testing tools, ScienceSoft’s experts pinpoint the top ones that can come in handy during security assessment.
A remote web vulnerability scanner.
- G2 Leader for Vulnerability Scanner Software.
- Supports Mac, Linux, and Windows.
- Offers plug-ins with new vulnerabilities 24 hours after the vulnerabilities have become known.
- Detects over 65K of common vulnerabilities (CVEs), including missing patches, outdated software, misconfigurations, absent passwords, DoS vulnerabilities and many more.
- Provides built-in and custom scanning templates to streamline vulnerability assessment.
- Conducts automated scan analysis for remediation prioritization.
- Provides user-friendly navigation and actionable user guidance.
A penetration testing tool offering ready-made and custom code options to exploit vulnerabilities of networks and servers.
- Provides for all the stages of penetration testing: reconnaissance, scanning, exploitation, privilege escalation, and maintaining access.
- Is easily customizable and compatible with most operating systems.
- Integrates with SNMP scanner, Nmap, Nessus, Windows Patch Enumeration, and other tools.
- Offers more than 1,677 exploits, about 500 payloads.
- Includes anti-forensic and evasion tools.
Burp Suite Professional
An all-round set of automated and manual tools for web penetration testing.
- Gartners’ Peer Review Customers’ Choice 2020
- G2 Leader Winter 2022
- Acts as proxy, intercepting traffic, and enables man-in-the-middle attacks.
- Includes a wide-coverage vulnerability scanner.
- Uses external servers to detect hidden vulnerabilities that bypass conventional SAST and DAST tools.
- Enables advanced attacks of all types: SQL injections, file path traversal, SSRF, XSS attacks etc.
- Offers an embedded browser providing for an immediate launch and access to full Burp Suite functionality.
- Is highly customizable.
- Runs on Linux, Windows and MacOS.
$399/ 1 user/1 year
Cybersecurity testing costs vary across different projects, depending on the scope of testing required for a particular company.
General cost factors include:
- Security testing targets: number of IPs, servers, networks, applications to be tested, employees to be interviewed etc.
- The complexity of IT environment: network organization, application architecture etc.
- The testing types and techniques: vulnerability scanning , black or white box testing, security code review, social engineering etc.
For in-house security testing
- The size of the security testing team (salaries and benefit packages, additional trainings).
- Creating and maintaining working environment for the security testing unit.
- Toolkit maintenance (license fees).
For outsourced security testing
- The size of security testing team and the qualifications of security testing professionals.
- One-time or long-term cooperation (a vendor may be willing to reduce the costs for subsequent IT security assessments).
Sample Security Testing Projects with Costs
Description: Social engineering testing and gray-box penetration testing of customer-facing software (a web and a mobile application) and its external APIs.
Estimated cost: $15,000+
Description: Black-box network vulnerability assessment of up to 200 IPs aiming to evaluate HIPAA compliance.
Estimated cost: $5,000+
ScienceSoft is a global provider of cybersecurity services headquartered in McKinney, Texas, US. With Certified Ethical Hackers onboard, ScienceSoft’s security testing team offers their expertise to help our customers enhance their IT security posture and maintain their compliance with regulatory standards. Customer information security is ensured by ISO 27001 certification.