Penetration testing is a methodical process of evaluating the security of a system by attempting to exploit its vulnerabilities and weaknesses. It is a foundational security practice that has been in existence since the 1960s. 

Penetration testing is utilized for a variety of reasons—everything from developing deep exploitation of target systems to the demonstration that security “due diligence” has been achieved in alignment with particular security standards (PCI, SOC2, CMMC, etc.). As time has progressed, modern testing methodologies have adapted to keep pace with this ever-changing landscape. Through this evolution, a best practice emerged—organizations who required third party experts for their penetration tests began rotating these experts every couple of years. This practice is commonly known as vendor rotation. 

Being an old security curmudgeon, with 14 years in offensive security, I’ve had the opportunity to see how hundreds of different companies approach their pen testing strategy. In this blog post, I’ll share the origin of vendor rotation, the new trend emerging towards in-platform rotation vs. vendor rotation, and how organizations can benefit from this switch. 

The history of pen test vendor rotation

The rationale behind the establishment of vendor rotation in the earlier days of pen testing makes complete sense. Most offensive security vendors have a finite number of testers on their roster…which means a finite number of skill sets and a finite amount of work that each individual can take on. Originally, there wasn’t a great way to know that every year, you were getting the best possible security person to assess your systems. Occasionally, you would have the choice of waiting for a senior tester to become available (sometimes months of waiting), or you got the next available tester on the bench. Additionally, if you were using the same vendor for multiple tests against the same asset, there was no guarantee that previous work wasn’t being re-used, resulting in a sub-par test.  

Following a vendor rotation practice helped organizations ensure that new eyes and new perspectives were dedicated to these testing efforts. It also prevented any potential vendor complacency. 

The problem with pen test vendor rotation

As vendor onboarding and GRC requirements become more intensive, rotating pen test vendors every couple of years has become the thorn in the side of many security teams. Bringing in a new vendor means organizations must:

1. Kickoff a vendor evaluation process
2. Engage in re-scoping assets
3. Negotiate prices with a new vendor
4. Go through any internal GRC reviews for the new vendor
5. Go through any internal finance and PO requirements to add the vendor to payment systems
6. Onboard the new vendor

This process results in significant human resource costs for the organization every cycle period. These issues lead security teams to a difficult decision. Is the price of vendor rotation worth the benefit of making sure that new fresh perspectives are always present on your pen tests? Up until now, for most organizations, the answer to this question was “yes.” But what if there was a better way?

A new way to approach pen testing: With an evergreen, elastic bench

Organizations no longer have to rotate vendors to achieve their desired results. On the Bugcrowd Platform, organizations can rotate pentesters whenever they want, on demand! 

The Bugcrowd Platform provides the pen testing framework, the real-time methodology tracking, and the required deliverables (attestation, summary reports, etc.), as well as access to an evergreen, elastic bench of talent for rotating testers and skill sets as often as you like. 

Many Bugcrowd customers appreciate this flexibility as they identify situations where complex testing targets would benefit from the continuity of maintaining specific testers on their assets and other situations where a fresh perspective is the best course of action. 

The benefits of on-demand pentester rotation

Our customers who use on-demand pentester rotation regularly cite significant cost savings. This approach reduces the personnel time and effort that they would have spent on the practice of vendor rotation. 

There are multiple benefits of on-demand pentester rotation vs. a traditional vendor rotation approach: 

1. There is no need to deal with a time consuming vendor evaluation process.
2. You don’t have to go through an additional GRC or finance review to add a vendor. 
3. You don’t have to start from scratch—you can continue to work with your current team of Technical Customer Success Managers, who have in-depth knowledge of your account. 
4. You can rotate pentesters anytime, so you can rest easy knowing there is always a fresh set of eyes on your assets. 
5. There are certain situations where maintaining certain testers with historical knowledge of your account is helpful. 
6. If you use other Bugcrowd solutions like Managed Bug Bounty, all of your combined results can be found on one consolidated platform. 

Pen testing done right with Bugcrowd

The Bugcrowd Platform serves as a hub for organizations to gain access to security experts, researchers, pentesters, and hackers for the purpose of vulnerability identification and risk reduction. The platform provides multiple solutions or frameworks to allow organizations to dictate what sort of security engagement they are looking for. These engagements range from: 

• Penetration tests that align to PCI or SOC2 
• Bug bounty programs to harness the power of competitive testing
• Attack surface discovery to find unknown assets

With access to thousands of security professionals and enthusiasts, Bugcrowd’s platform matches details of your systems to the best possible skill sets to bring the utmost talent to engage with you. 

For the cherry on top, what if I told you that you could buy standard pen tests online? You can purchase pen tests anytime on our website.