Conducting a security audit has a cost. When companies are asked about the budget they devoted it, we often hear “between €10k and €20k”, sometimes a little more, sometimes a little less. However, there isn’t really a standard price for this type of service: it all depends on what is done, how, and by whom. If the main objective is to be able to show that a pentest has been done less than 6 months ago, it is possible to make concessions to respect an extremely limited budget.
The objective of this article is not to encourage companies to choose “degraded” services for budget reasons, but to provide concrete solutions to those who have a real budget problem and yet urgently need to have a pentest carried out. This is particularly the case for young startups who find themselves in the process of selling their solution to a major account and who are sometimes blocked when they cannot provide a pentest report. The best solution would be to have enough budget to do a thorough security audit, but unfortunately this is not always possible.
Benefits of Making a “Mini” Pentest
A penetration test, or pentest, remains the best way to assess the security level of a system or platform. Beyond an analysis of the technical choices that have been made, and the protections that have been put in place, it tests concretely if security flaws can be found and exploited. The approach is qualitative, and goes further than automated scans.
It is possible to conduct this type of service by limiting the scope to be audited, or the level of depth of the audit, or both. Defining limits on the scope or depth of the audit limits the time to be spent on the tests, and therefore the cost of the service. In an “extreme” case, the pentest can be limited to 1 man-day only, which is the same as conducting a “mini” pentest.
In fact, every pentest has its limits. One could almost always spend more time, in order to cover a wider scope or to go further in the analysis. Likewise, an overmotivated hacker will always be able to spend more time trying to hack a target… if it’s worth the effort. For the company that would like to carry out a pentest, the important thing is therefore to delimit the pentest according to its security stakes, the level of risk, the priorities in terms of protection and in terms of communication on a security level.
A “mini” pentest has the following advantages:
- Making an initial assessment of the security level of a specific target
- Looking for “major” vulnerabilities (the easiest to identify and the most impacting)
- Being able to correct the identified vulnerabilities, which in some cases means significantly increasing the security level of the target in question (sometimes a mini-audit can identify many vulnerabilities, including critical ones)
- Getting a first pentest report for a (very) small budget
Depending on the results of the pentest, one of the following situations (or an intermediary between the 2 situations) will result:
- Either the mini-audit makes it possible to highlight impacting flaws, which means making considerable progress in security following an audit at a lower cost;
- Either the mini-audit does not reveal any impacting flaws, which means obtaining a valuable pentest report for the company.
The “mini” pentest approach is interesting for a target in production (for which one wishes to obtain a very first security feedback) or for a target under construction (for example an application under development, for which one wishes to have feedback along the way in order to build on a good basis).
Limits of a “mini” pentest
Of course, a “mini” pentest is not suitable for every business. In many cases, it would be a useless service, as it would be far too superficial.
In some cases, a 5 man-day pentest could also be considered as a “mini” penetration test, given the security stakes of the company, and therefore the need for a more complete analysis. The objectives to be achieved must always be put into perspective with the means to be set to achieve them.
In addition, for companies that choose to conduct a “mini” pentest, it is usually a step towards implementing regular penetration tests or other security actions. The aim is to put a first “foot in the door”, knowing that the results of this first pentest can lead to awareness at different levels (whether at the level of a technical team or at management level, for example).
Even on a very short-term basis, the “mini” audit is usually followed by questions:
- If the “mini” audit has highlighted significant flaws, the company may be tempted to carry out a counter-audit following the correction of the vulnerabilities, or even to redo an audit in the hope of obtaining a more valuable audit report;
- If the “mini” audit did not reveal any impacting flaws, the company may wonder about the relevance of the scope and duration of the tests, and may wish to quickly conduct a more in-depth audit to reassure itself.
In any case, it is possible to make a “mini” penetration test for a budget of less than €1,500, and in some cases this enables to break the deadlock with a first security audit. For some companies this will be relevant, and for others not.
If you are unsure how to proceed in your case, you can contact Vaadata team for a quick assessment of your need.