With increasing numbers of enterprises adopting SAP business applications in the cloud, many of them engage a trusted, external specialist organization to perform penetration tests. Trends in the global market attest to the growing importance of externally conducted penetration testing services, which are expected to continue to grow at a Compounded Annual Growth Rate (CAGR) of around 14.2% source: https://www.researchnester.com/reports/penetration-testing-market/717) to become a USD 2.6 billion market by 2027.
There are many questions IT Security teams must ask themselves when conducting penetration testing:
- How do we decide which supplier to choose?
- What are the compelling reasons to perform a penetration test?
- Who should direct the remediation actions post-penetration test?
- What are the risks and constraints that we should be concerned about?
- What penetration test methodology does our situation call for, i.e. Overt vs Covert, Grey Box vs Black Box vs White Box ?
- What frequency of penetration test should we choose?
- Who will create and monitor action plans?
- How to embed Governance into Penetration Test Exercises?
- How to follow protocol when applications are hosted on a third-party data center?
Typically a penetration test has the following phases, although the Assurance Framework is often neglected:
Riscomp can help you provide independent oversight as you invest in conducting penetration testing and derive value out of it over the long term. Our Management Assurance framework will help you establish control processes over important management aspects of testing, such as:
- Test Administration (scope, legal constraints, disclosure, reporting)
- Test Execution (approach, separation of systems and duties, tool heritage, frequency of tests)
- Data Security (Secure Storage, transmission processing and destruction of critical or sensitive information provided, final outcome of the test and remediation actions)
- and much more