One of our clients is forcing us to share a web penetration testing report. We do all kinds of security testing ourselves, but they wouldn't accept our reports. The client policy requires the vendors to share a third-party report. I spoke to a bunch of penetration testing companies. It seems they do basic tests and charge ridiculously high. My question is, is it worth doing web penetration testing? Has anyone found it helpful beyond the checklist need?
If you know enough to do your own vulnerability scanning, code auditing, and testing -- and, have the human capital/available time in your schedule to do it yourself -- then the answer is probably "no" from an actual security perspective.<p>However, there are many teams who either don't have the knowledge/expertise, or the available time, to do the testing themselves. This is where "buying it off the shelf" can come in handy.<p>Then, there are teams that are completely clueless when it comes to application security, and even the most basic scan by any of these pen testing vendors will find very obvious security defects, which is absolutely valuable for them to learn about. This is the minimum bar that we should hold software application developers to, and there are many who don't even meet this without the assistance of reports from pen testing vendors. Scary, but true.<p>So, YMMV.
It would be overgeneralizing to say they are <i>all</i> just there to sell testing that allows vendors to check a box on RFPs or contract requirements, but in my experience they mostly exist to generate a testing report and include with it a pitch to sell a product or service that (how convenient!) can solve the problems found in their pentest report.<p>I've had to wave off a few managers who got unsolicited emails from vendors saying they found or know of vulnerabilities in their site(s) and for just $MANY they can fix them.