10 Best Practices for Choosing a Penetration Testing Company
How to Select a Pentesting Vendor
Penetration testing has grown into one of the most common engagements for the current security-aware companies. There are numerous reasons for running a pentest, such as better security guards, diminished risk levels or meeting strict compliance requirements; and you will find even more penetration testing companies out there.
However, how do you opt for the ideal penetration testing firm? What do you have to take into account prior to engaging an external supplier? And how can you trust this provider to carry out the penetration testing engagement for your own satisfaction and in accordance with your company needs?
We've assembled 10 best practices that may come in handy when Selecting penetration testing firm:
- Define what type of pentest you want
- Evaluate the abilities of the pentesting staff
- Ask for applicable references
- Learn how your data will be procured
- Request accountability insurance
- Get a sample report
- Verify job management capacities
- Explain the methodology and process
- Ask about options for retesting
- Get to know the pentesting seller
1. Define What Sort of pentest you need
Prior to picking your penetration testing seller, you will have to define which sort of technical testing you are searching for. Are you looking for a net application pentest, a cell application pentest or a system / infrastructure pentest? Various kinds of pentests require different types of tools, knowledge and expertise which will also ascertain the cost of a pentest -- make sure your pentesting business is well equipped to execute the pentest that you pick.
As soon as you've defined the scope of your pentest, you will need to indicate how you want the pentest to be performed, i.e. in black box, grey box or white box style.
Black box checks are performed with no knowledge of the analyzed environment. The aim of a black box pentest is to evaluate the amount of security as noticed with a third party connected to the internal network or the internet, without any prior knowledge of this environment.
Grey box evaluations are performed with standard access or using only limited understanding of the analyzed environment. The objective of a gray box pentest is to assess the amount of security as seen by a legitimate user of the customer with an account, along with general information concerning the tested surroundings.
White box tests are performed with knowledge of their inner structure/ design/ execution of the tested surroundings.
It is important your penetration testing company is acquainted with these different testing methods and can guide you appropriately in selecting a pentest kind and method which may work for your objectives and budget.
Usually, the pentesting firm's scoping questionnaire will ask for enough information to be able to suggest a pentest that's customized to your situation.
2. Assess the abilities of the pentesting staff
In addition to evaluating the pentesting company as a whole, you also need to take a close look at the authentic pentesters who will perform the engagement.
There are many penetration testers on the market, however, only few will possess the knowledge and skills to perform a high-quality pentest. What things is a solid mixture of proven expertise and real experience.
Expertise
Concerning experience, your pentesting team ought to have the ability to demonstrate their technical understanding. For instance, a university degree in information security combined with ethical hacking certifications or continuous education classes are a terrific sign which you pentester has acquired the necessary theoretical and technical abilities to find the job finished. Some of today's most commonly-recognized certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), or Offensive Security Certified Professional (OSCP). When it comes to continuous instruction, the SANS Institute offers a variety of penetration testing classes to hone moral hacking abilities, such as web application pentesting, social engineering, crimson team surgeries, wireless pentesting and much more.
No matter which expertise your pentesting team has, ensure their manuals demonstrate their degree of specialized understanding and their willingness to learn and stay on top of modern pentesting methods.
Experience
Ideally, your pentesting team ought to have accumulated experience in a number of businesses, for different kinds of companies and in various types of pentesting jobs. If your organization operates in the financial sector, make sure your pentesting staff has experience with similar associations in the area. If you're searching for a red team workout, look for similar mandates. Generally, your pentesting team ought to have accumulated at least a year or two of expertise. The more varied the experience of your pentesting team, the easier it'll be for them to adapt to your particular circumstance and environment and perform a comprehensive pentest that is based on established methodologies. It's very normal for pentesters to incorporate a summary of the latest pentests at the end of their resume -- make certain to ask a copy!
3. Ask for applicable references
Before beginning your pentest, make sure that you ask for 2-3 references of pentests ran for organizations of similar size, using a similar extent or that are in the same industry as you. In this manner, you'll find another bit of confirmation that your chosen penetration testing organization is appropriate to perform a pentest for your unique business circumstance.
A fast phone call using the supplied references can help you confirm the professionalism, experience and value of the penetration testing firm in ways that their earnings proposal or the resumes of their pentesters couldn't reveal.
Questions you may want to ask:
Was the pentest conducted to your own satisfaction?
Exactly what did/ did not you enjoy in working together with the penetration testing company?
How would you evaluate the pentesting team?
Was the pentest delivered on time and on budget?
Did the pentest report provide a concise collection of the found vulnerabilities, plus proper remediation measures?
Are there anything lost during the pentest?
Would you rather do business with this particular penetration testing company again?
The insights gathered through the conversation with the reference contact(s) could end up being very helpful in deciding upon the pentesting vendor that is right for you.
4. Learn how your data will be secured
Pentesters certainly know how to have access to your confidential information, but their pentesting firm might have to show that they will handle and store this data securely before, during and after the penetration test. After all, you are entrusting a third party with your most crucial data assets and should receive a suitable explanation about information handling before sharing anything confidential.
Data security concerns can include:
How will my data be transmitted?
How will my data be stored?
How will my information be erased?
For how long will my documents be retained?
Has the pentesting company ever been hacked?
Obtaining clarification on information security may be a determining factor when deciding on a pentesting company you can trust.
5. Request liability insurance
Before signing a contract with a pentesting company, inquire whether or not they have liability insurance in place. Liability insurance is significant since it will provide protection to your company from liability risks. For example, if the pentesting company causes any damage to your environment during their testing and intrusion actions, a liability insurance will help remedy this harm.
In the end, penetration testing companies are in the business of information security and risk management, so they should be able to show their legitimacy with a valid liability insurance policy.
6. Get a sample report
The one and only deliverable of a penetration test is a comprehensive report, including all test findings in addition to the essential countermeasures and recommendations to secure your environment going forward. Be certain you receive a copy of a sample pentest report to facilitate your decision-making process and get a sense for what you may actually get in the end of the mandate.
A good penetration testing report must include:
An executive overview describing your overall security position and indicating items that need prompt attention
A technical review describing the activities performed to determine vulnerabilities and also the results of the activities conducting in attacking target systems, such as the methodologies used.
A detailed collection of those vulnerabilities found and their exploits, listed in order of criticality.
Recommendations to optimize protection of the assets identified in the report, with consideration of the resulting price in capital investment, maintenance and operation, personnel and time.
Appendices shooting tool outputs, screenshots, or additional data that helps to give greater context or clarification to the vulnerabilities detected
Your technical IT team will be particularly interested in the comprehensive list of vulnerabilities and exploits, along with step-by-step remediation recommendations, whereas your C-level executives or IT Director/VP may only review the executive summary to get an overview of your own cybersecurity posture and hazard exposure.
7. Verify project management capacities
Just like any other seller you engage with, a part of the achievement of the project will be contingent on their job management capabilities.
Consult your penetration testing firm what kind of procedures and methodologies they have set up to ensure your pentest job is implemented smoothly and on schedule, e.g. according to the instructions of the Project Management Institute (PMI).
Along with asking for the resumes of the pentesting group, make sure that you also inquire about the qualifications and experience of the assigned Project Managers. Have they dealt with comparable pentesting projects before? Do they have proper credentials, such as the Project Management Professional (PMP)® certification? Sound project management capabilities will keep your pentest on track and within budget, manage expectations and ensure quality deliverables at the end of the job.
8. Clarify the methodology and process
When choosing your penetration testing firm, make certain that you validate your candidate follows an industry-recognized pentesting methodology and procedure. You will have to be aware of just how the pentest is going to be performed, which steps will be followed closely, which tools will be used and the way the exploits will likely be evaluated exactly.
Usually, this amount of detail is contained in the revenue proposal or in the statement of work. Otherwise, don't be shy to ask the pentesting company how they will proceed and what approach they follow along during the ethical hacking procedure. Should they follow a similar methodology for all their own pentesting engagements, odds are that this may improve the standard of their work and their degree of thoroughness from the engagement.
9. Ask about options for retesting
If you are watching out for a long-term pentesting spouse, be certain to discuss the prospect of doing a retesting exercise after the first pentest was performed. Retesting is a vital element in a constant penetration testing practices since it verifies if the remediation steps which were suggested by the pentesters have actually been set in place by your IT team.
Any pentesting company considering boosting your cybersecurity posture effectively and sustainably will probably incorporate an alternative for retesting in their earnings proposal, not only to facilitate a longterm partnership and more business, but also to help you strengthen your defenses against cyberattacks.
10. Get to know the pentesting vendor
Lastly, you should be getting to understand your pentesting vendor and have some time to chat with essential resources who will be involved with the project delivery. To get started, ask yourself some fundamental questions:
Does the pentesting seller seem credible?
Does the standing of this pentesting vendor hold true?
Is the communication between you and the pentesting vendor easy and simple?
Would you feel like you can trust the pentesting vendor to perform the pentest based on what was agreed upon?
Would you recommend this pentesting seller for your network?
If you have answered"no" to any one of these above questions, then you may want to dig a little deeper before running the pentest. Do not forget that you're just about to entrust an outside entity with all the crown jewels of your business, so you better make sure you get together with the major contact people involved in the pentest and can begin building a reliable relationship for future appointments. Particularly in regards to safety, you need to have a good"gut feeling" when outsourcing certain projects to a third party.
Conclusion
When assessing a penetration testing firm, there are some best practices that you should keep in mind other than how much the pentest really prices.
Similar Articles
For modern businesses to thrive, ensuring the effective management of inventory stands has become vitally important. Inventory management stands as a cornerstone of success. And the emergence of the Internet of Things (IoT) has introduced a new era of connectivity and efficiency across diverse industries.
Do you know what the following e-commerce companies have in common: Amazon, Walmart, eBay, and more? All of these e-commerce companies' apps make use of Java. Java is decidedly among the leading choices of programming language for e-commerce applications because it offers a world of benefits; for example, since Java code can be run on any platform with a Java Virtual Machine (JVM), users of e-commerce apps made with Java can access the said apps on a variety of devices.
Nikola Tesla in 1926, once described what is now called a mobile phone as a telephone that can fit into one's “vest pocket.” As otherworldly as that idea was then, nearly a century later, the reality is even more astounding.
Given the staggeringly high amounts of data being generated worldwide every single day, it ought to come as no surprise that organizations often struggle to pick the right tools to help them effectively harness the potential of all their data.
Managing properties can be a difficult task with the right tools. Property owners must find and use the best property management software. It can be a long and tedious process as there are many options in the property management software market.
In the ever-evolving financial services landscape, industry challenges are numerous and complex. From stringent regulations to rapidly advancing technology and changing consumer expectations, financial institutions face many obstacles.
The human learning capability is a great resource for helping technology evolve and grow, breaking boundaries, and creating new ones. Emulating the ability of humans to learn at a gradual but retentive pace, Machine Learning is the latest power monster that is redefining human-machine interaction.
In the ever-evolving landscape of low-code development, Microsoft's Power Platform stands out as a powerful tool for building custom applications. In today's dynamic digital landscape, creating and managing web pages is no longer the exclusive realm of professional web developers
In the data-driven business world, where information is of utmost priority, organizations are increasingly turning to data warehousing and data marts to harness the power of their data. These data management solutions are pivotal in transforming raw data into actionable insights.