Choosing a Penetration Tester
Top 5 Tips When Choosing your Penetration Testing Company
1. Find a company you trust
Trust is fundamental. You will be allowing this company to access your systems, customer data and sensitive company intelligence. In effect, you’ll be permitting access into the inner workings of your organisation’s operations. Be sure that they can be trusted with your data and they have a proven track record. Look into the company’s background. When was the company established and how many penetration tests they have performed for large security focused organisations? Find out if penetration testing is a core skill set or just a value-added service.
Ask if they have worked with clients in your industry sector. Can they put you in contact with organisations of a similar profile to yours for a reference check? It’s important that they are of a similar size and profile otherwise their feedback may not be as relevant. Look at the technology achievements of this company. Do they present at industry events, belong to industry associations or have they won awards? What kind of reputation does the company have in the marketplace?
2. What exactly do you need?
To get the best value for your IT security investment, you need to know exactly where you need help, why and what you want security tested. As the saying goes, the better the brief the better the job, so clearly define your objectives and outcomes from the start.
3. Ask questions, then ask some more
Ask questions about the testing methodology. What defined procedures and tools does the company use? How do they protect your business and data during the testing? How do they remove false positives? How many classes of testings are performed? How are complex multi-stage attacks covered?
4. Who does the testing?
Remember that a company does not conduct a penetration test, people do. No matter which company you go with, it always comes down to the person or the team you have working on your business. Find out who exactly will be conducting the testing, is it outsourced, sub-contracted or in-house? Ask to see their credentials and interview them by phone, Skype or in person. Finally, ask if you can be provided with interesting findings as they occur throughout the testing.
5. What is the end-result?
Up front, ask the company exactly what you will receive at the end of the penetration test. Ask to see what a real-world deliverable looks like. A quality report should detail the key findings and provide solid remediation advice, in priority order, to address every issue found. In short, the final report should be a valuable tool with a clearly defined action plan on the best ways to remediate vulnerabilities. Quality reports also detail how to re-test each vulnerability once the identified flaws have been fixed.
These tips are based on our many years of experience and the thousands of penetration tests we have conducted.