Penetration testing, or pen testing, is a critical component of any organisation’s cyber security strategy, as it helps to determine vulnerabilities that attackers could exploit. However, simply conducting a pen testing exercise is not enough.
Organisations need to ensure that their pentesting strategies, methodologies and programs are mature and effective to ensure that they are identifying and considering all potential vulnerabilities. This is where pentesting maturity models come in.
Moving on in this article, we will explore the concepts of the pentesting maturity model put forward by CREST maturity assessment tools in detail, including its maturity levels, benefits, and how organisations can use it to enhance their pentesting methodologies and achieve their cyber security goals.
What are maturity assessment tools or maturity models?
A maturity model is a set of guidelines for assessing and improving an organisation’s processes and capabilities in a specific domain. It typically defines some maturity levels, each with its own attributes, best practices, and performance metrics. Such models can be seen as structured frameworks that provide a set of benchmarks that organisations can use as an assessment tool to measure the maturity levels in a particular domain or a service and determine any areas for improvement.
What is a penetration testing maturity model?
A pentesting maturity model is a framework that assists organisations in measuring and improving the effectiveness of their pen testing programme. It consists of several levels, each representing a particular stage to measure the maturity of an organisation’s pen testing capabilities.
By using the maturity assessment tools, organisations can determine their security and maturity levels and create a roadmap for improving their pen testing capabilities over time. This can help to reduce the risk of cyber attacks, enhance security, and improve overall organisational cyber resilience.
CREST penetration testing programme
Many organisations do not know how effective their penetration testing programme is in practice. One of the best ways to help determine the effectiveness and value of a penetration testing programme is to measure the maturity levels of your penetration testing programme in terms of the:
- People, processes, technology and information.
- Requirements, testing and follow-up.
Different types of organisations will require different maturity levels for their penetration testing programme. For example, a small company operating in the retail business will not have the same requirement – or ability – to carry out penetration tests in the same way as a major corporate organisation in the finance sector – or a government department.
Cyber attacks are not a matter of if, but when. Be prepared.
Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.
There are several CREST related topics we have covered extensively you might want to explore:
- CREST penetration testing guide and methodology
- Learn about the CREST Defensible Penetration Test (CDPT) and business benefits
- What is a CREST-approved provider, and why choosing a CREST-certified company is important?
- Understanding the CREST accredited penetration testing
- Your guide to CREST vulnerability assessments
- CREST and CHECK Penetration Testing Explained – Which is Right for Your Business?
- CREST Certification benefits, cost, OSCP equivalent and other details
CREST pentesting management guide and maturity model
The CREST penetration maturity assessment is a 3 phase model, with maturity levels in each phase further divided into sub-levels. These three levels of maturity assessment are:
- Preparation
- Testing
- Follow-up
This section will discuss each of these levels and their sub-levels.
1. Preparation
The first level in the CREST pentesting maturity model is the preparation phase. This phase is responsible for preparing a CREST-accredited organisation ready to carry out and deliver a pentesting exercise.
This phase is further divided into seven sub-phases which are as follows:
Maintain a technical security assurance framework
This sub-section involves establishing and maintaining a standard for technical security assurance. It includes policies, procedures, and guidelines for conducting pentesting exercises.
Establish a Penetration Testing governance structure
Establishing a governance structure for the pentesting program, which includes roles and responsibilities, policies and procedures, and communication plans, is very necessary. The governance structure includes a process for managing issues and incidents that are identified through the pentesting assessment tool.
Evaluate drivers for conducting penetration tests
This involves determining the drivers for carrying out penetration tests, such as compliance requirements, customer requirements, and/or internal risk management objectives. Understanding the drivers for conducting penetration tests is critical for defining the scope and objectives of a penetration test.
Identify target environments
This involves determining the target scope for the pentesting assessment. This could include production environments, test or development environments. It is important to determine the appropriate environments to conduct the entire security assessment safely and effectively.
Define the purpose of the penetration tests
This phase is responsible for assessing flaws and potential attack paths or validating and assessing the effectiveness of existing security controls. It helps guide the rest of the preparation and testing phases.
Produce requirements specifications
This phase determines what should be included in the scope of testing. This involves deciding the types of assessment tools to measure the maturity, critical assets to be tested, the maturity level to be achieved, the testing methodologies to be developed and used, and the expected deliverables from the testing program.
Select suitable suppliers
This involves selecting suitable suppliers for the penetration testing programme, such as external third-party providers or internal resources. The selection process should consider experience, expertise, and availability factors.
2. Testing
The testing phase determines and decides the execution of a pentesting programme and assessment tool. This phase involves the following steps:
Agree testing style and type
Before conducting a penetration test, it is important to agree on the appropriate maturity assessment tools and methodologies that will be used. This involves considering factors such as the organisation’s cyber security goals, the nature and criticality of the systems and networks being tested, and the potential impact of a successful attack or data breach. Different testing styles and types can include black box, grey box, or white box testing.
Identify testing constraints
It is important to assess any obstructions or hindrances that may affect the scope or methodology of the maturity assessment, such as regulatory compliance and operational capability or resource limitations. Identifying these constraints will help to ensure that the test is appropriately scoped and focused on addressing the organisation’s security requirements.
Produce scope statements
This phase involves making sure that the maturity assessment is appropriately scoped and targeted at addressing the organisation’s specific security needs. It is important to produce well-defined scope statements highlighting the systems, networks, or applications to be tested, testing goals and objectives.
Establish a management assurance framework
To ensure that the penetration testing programme is conducted effectively and consistently across the organisation, it is necessary to decide upon a management assurance framework that defines roles and responsibilities and provides oversight, support and accountability for the entire maturity assessment activity.
Implement management control processes
Such processes are put in place to ensure that the maturity assessment is conducted in accordance with the previously decided assurance framework. These should include procedures for quality assurance, risk management, change control, and incident response.
Use an effective testing methodology
An effective and solid maturity assessment method should be used to ensure that the test is conducted in a structured and systematic manner. This methodology should include all the essential pentesting steps, such as reconnaissance, enumeration, vulnerability analysis, and exploitation, evidence collection for reporting.
Conduct sufficient research and planning
Before starting the activity, appropriate enough research and planning should be done to ensure that the pentest is properly scoped and focused on addressing the organisation’s specific cyber security needs and requirements. This phase should include gathering information on the in-scope systems, networks, or applications, identifying potential attack vectors, and determining the appropriate testing methodologies.
Identify and exploit vulnerabilities
During the execution of the exercise, the pentesting team should exploit flaws in the target systems, networks, or applications. This involves using a variety of testing techniques and maturity assessment tools to assess and exploit vulnerabilities, such as injection flaws, flawed business and application logic, and buffer overflow attacks.
Report key findings
Once the assessment is complete, the pentesting team should produce a comprehensive report that describes the key findings and highlights recommendations for mitigating and addressing any identified vulnerabilities. It is then presented to stakeholders and subject matter experts.
3. Follow-up
The last and final phase in the pentesting assessment tool is the follow-up phase which concludes the exercise and suggests the remediation, mitigation and revalidation processes. This phase includes the following sub-phases:
Remediate weaknesses
The vulnerabilities identified through the maturity assessment tools must now be dealt with. The IT and development team starts to fix those vulnerabilities and makes sure that appropriate security controls are in place to protect against attacks in the future.
Address the root causes of weaknesses
This phase helps assess the root cause of the vulnerabilities rather than just addressing the findings themselves. This helps prevent the same vulnerabilities from reappearing in the future.
Initiate improvement programme
Initiating the improvement program is based on the lessons that are learned from the activity. The improvement program should focus on improving the organisation’s overall information security posture rather than just dealing with and fixing the vulnerabilities.
Evaluate penetration testing effectiveness
This phase is responsible for evaluating the effectiveness of the penetration testing programme to assess areas for improvement. This evaluation should take into account the factors such as the scope and objectives of the pentesting exercise, the methodologies used, and the evidence gathered.
Build on lessons learned
Building on the lessons learned from the pen testing activity is important to improve the organisation’s security posture continuously. This encompasses implementing changes to policies and procedures and implementing necessary security controls based on the identified vulnerabilities and their root causes.
Create and monitor action plans
Creating action plans to address the discovered vulnerabilities and root causes and monitoring progress helps ensure the necessary changes are being implemented.
Conclusion
The CREST maturity assessment tools are a comprehensive framework for organisations to develop and mature their pentesting abilities and methodologies. It is a tool designed to help organisations move beyond conventional pentesting activities and establish a more strategic and mature approach to security assessments, especially pentesting.
By following this maturity assessment guide, organisations can establish a strong foundation for their penetration testing services and ensure they align with their overall information security objectives.
Do you undergo annual assessments or seek continuous security validation? If not, it should be on your security checklist. You can get in touch to discuss your concerns or schedule an assessment with our team.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.
