10 Best Practices for Choosing a Penetration Testing Company
How to Select a Pentesting Vendor
Penetration testing has grown into one of the most common engagements for the current security-aware companies. There are numerous reasons for running a pentest, such as better security guards, diminished risk levels or meeting strict compliance requirements; and you will find even more penetration testing companies out there.
However, how do you opt for the ideal penetration testing firm? What do you have to take into account prior to engaging an external supplier? And how can you trust this provider to carry out the penetration testing engagement for your own satisfaction and in accordance with your company needs?
We've assembled 10 best practices that may come in handy when Selecting penetration testing firm:
- Define what type of pentest you want
- Evaluate the abilities of the pentesting staff
- Ask for applicable references
- Learn how your data will be procured
- Request accountability insurance
- Get a sample report
- Verify job management capacities
- Explain the methodology and process
- Ask about options for retesting
- Get to know the pentesting seller
1. Define What Sort of pentest you need
Prior to picking your penetration testing seller, you will have to define which sort of technical testing you are searching for. Are you looking for a net application pentest, a cell application pentest or a system / infrastructure pentest? Various kinds of pentests require different types of tools, knowledge and expertise which will also ascertain the cost of a pentest -- make sure your pentesting business is well equipped to execute the pentest that you pick.
As soon as you've defined the scope of your pentest, you will need to indicate how you want the pentest to be performed, i.e. in black box, grey box or white box style.
Black box checks are performed with no knowledge of the analyzed environment. The aim of a black box pentest is to evaluate the amount of security as noticed with a third party connected to the internal network or the internet, without any prior knowledge of this environment.
Grey box evaluations are performed with standard access or using only limited understanding of the analyzed environment. The objective of a gray box pentest is to assess the amount of security as seen by a legitimate user of the customer with an account, along with general information concerning the tested surroundings.
White box tests are performed with knowledge of their inner structure/ design/ execution of the tested surroundings.
It is important your penetration testing company is acquainted with these different testing methods and can guide you appropriately in selecting a pentest kind and method which may work for your objectives and budget.
Usually, the pentesting firm's scoping questionnaire will ask for enough information to be able to suggest a pentest that's customized to your situation.
2. Assess the abilities of the pentesting staff
In addition to evaluating the pentesting company as a whole, you also need to take a close look at the authentic pentesters who will perform the engagement.
There are many penetration testers on the market, however, only few will possess the knowledge and skills to perform a high-quality pentest. What things is a solid mixture of proven expertise and real experience.
Concerning experience, your pentesting team ought to have the ability to demonstrate their technical understanding. For instance, a university degree in information security combined with ethical hacking certifications or continuous education classes are a terrific sign which you pentester has acquired the necessary theoretical and technical abilities to find the job finished. Some of today's most commonly-recognized certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), or Offensive Security Certified Professional (OSCP). When it comes to continuous instruction, the SANS Institute offers a variety of penetration testing classes to hone moral hacking abilities, such as web application pentesting, social engineering, crimson team surgeries, wireless pentesting and much more.
No matter which expertise your pentesting team has, ensure their manuals demonstrate their degree of specialized understanding and their willingness to learn and stay on top of modern pentesting methods.
Ideally, your pentesting team ought to have accumulated experience in a number of businesses, for different kinds of companies and in various types of pentesting jobs. If your organization operates in the financial sector, make sure your pentesting staff has experience with similar associations in the area. If you're searching for a red team workout, look for similar mandates. Generally, your pentesting team ought to have accumulated at least a year or two of expertise. The more varied the experience of your pentesting team, the easier it'll be for them to adapt to your particular circumstance and environment and perform a comprehensive pentest that is based on established methodologies. It's very normal for pentesters to incorporate a summary of the latest pentests at the end of their resume -- make certain to ask a copy!
3. Ask for applicable references
Before beginning your pentest, make sure that you ask for 2-3 references of pentests ran for organizations of similar size, using a similar extent or that are in the same industry as you. In this manner, you'll find another bit of confirmation that your chosen penetration testing organization is appropriate to perform a pentest for your unique business circumstance.
A fast phone call using the supplied references can help you confirm the professionalism, experience and value of the penetration testing firm in ways that their earnings proposal or the resumes of their pentesters couldn't reveal.
Questions you may want to ask:
Was the pentest conducted to your own satisfaction?
Exactly what did/ did not you enjoy in working together with the penetration testing company?
How would you evaluate the pentesting team?
Was the pentest delivered on time and on budget?
Did the pentest report provide a concise collection of the found vulnerabilities, plus proper remediation measures?
Are there anything lost during the pentest?
Would you rather do business with this particular penetration testing company again?
The insights gathered through the conversation with the reference contact(s) could end up being very helpful in deciding upon the pentesting vendor that is right for you.
4. Learn how your data will be secured
Pentesters certainly know how to have access to your confidential information, but their pentesting firm might have to show that they will handle and store this data securely before, during and after the penetration test. After all, you are entrusting a third party with your most crucial data assets and should receive a suitable explanation about information handling before sharing anything confidential.
Data security concerns can include:
How will my data be transmitted?
How will my data be stored?
How will my information be erased?
For how long will my documents be retained?
Has the pentesting company ever been hacked?
Obtaining clarification on information security may be a determining factor when deciding on a pentesting company you can trust.
5. Request liability insurance
Before signing a contract with a pentesting company, inquire whether or not they have liability insurance in place. Liability insurance is significant since it will provide protection to your company from liability risks. For example, if the pentesting company causes any damage to your environment during their testing and intrusion actions, a liability insurance will help remedy this harm.
In the end, penetration testing companies are in the business of information security and risk management, so they should be able to show their legitimacy with a valid liability insurance policy.
6. Get a sample report
The one and only deliverable of a penetration test is a comprehensive report, including all test findings in addition to the essential countermeasures and recommendations to secure your environment going forward. Be certain you receive a copy of a sample pentest report to facilitate your decision-making process and get a sense for what you may actually get in the end of the mandate.
A good penetration testing report must include:
An executive overview describing your overall security position and indicating items that need prompt attention
A technical review describing the activities performed to determine vulnerabilities and also the results of the activities conducting in attacking target systems, such as the methodologies used.
A detailed collection of those vulnerabilities found and their exploits, listed in order of criticality.
Recommendations to optimize protection of the assets identified in the report, with consideration of the resulting price in capital investment, maintenance and operation, personnel and time.
Appendices shooting tool outputs, screenshots, or additional data that helps to give greater context or clarification to the vulnerabilities detected
Your technical IT team will be particularly interested in the comprehensive list of vulnerabilities and exploits, along with step-by-step remediation recommendations, whereas your C-level executives or IT Director/VP may only review the executive summary to get an overview of your own cybersecurity posture and hazard exposure.
7. Verify project management capacities
Just like any other seller you engage with, a part of the achievement of the project will be contingent on their job management capabilities.
Consult your penetration testing firm what kind of procedures and methodologies they have set up to ensure your pentest job is implemented smoothly and on schedule, e.g. according to the instructions of the Project Management Institute (PMI).
Along with asking for the resumes of the pentesting group, make sure that you also inquire about the qualifications and experience of the assigned Project Managers. Have they dealt with comparable pentesting projects before? Do they have proper credentials, such as the Project Management Professional (PMP)® certification? Sound project management capabilities will keep your pentest on track and within budget, manage expectations and ensure quality deliverables at the end of the job.
8. Clarify the methodology and process
When choosing your penetration testing firm, make certain that you validate your candidate follows an industry-recognized pentesting methodology and procedure. You will have to be aware of just how the pentest is going to be performed, which steps will be followed closely, which tools will be used and the way the exploits will likely be evaluated exactly.
Usually, this amount of detail is contained in the revenue proposal or in the statement of work. Otherwise, don't be shy to ask the pentesting company how they will proceed and what approach they follow along during the ethical hacking procedure. Should they follow a similar methodology for all their own pentesting engagements, odds are that this may improve the standard of their work and their degree of thoroughness from the engagement.
9. Ask about options for retesting
If you are watching out for a long-term pentesting spouse, be certain to discuss the prospect of doing a retesting exercise after the first pentest was performed. Retesting is a vital element in a constant penetration testing practices since it verifies if the remediation steps which were suggested by the pentesters have actually been set in place by your IT team.
Any pentesting company considering boosting your cybersecurity posture effectively and sustainably will probably incorporate an alternative for retesting in their earnings proposal, not only to facilitate a longterm partnership and more business, but also to help you strengthen your defenses against cyberattacks.
10. Get to know the pentesting vendor
Lastly, you should be getting to understand your pentesting vendor and have some time to chat with essential resources who will be involved with the project delivery. To get started, ask yourself some fundamental questions:
Does the pentesting seller seem credible?
Does the standing of this pentesting vendor hold true?
Is the communication between you and the pentesting vendor easy and simple?
Would you feel like you can trust the pentesting vendor to perform the pentest based on what was agreed upon?
Would you recommend this pentesting seller for your network?
If you have answered"no" to any one of these above questions, then you may want to dig a little deeper before running the pentest. Do not forget that you're just about to entrust an outside entity with all the crown jewels of your business, so you better make sure you get together with the major contact people involved in the pentest and can begin building a reliable relationship for future appointments. Particularly in regards to safety, you need to have a good"gut feeling" when outsourcing certain projects to a third party.
When assessing a penetration testing firm, there are some best practices that you should keep in mind other than how much the pentest really prices.
Prompt and accurate invoicing is an asset for any business. It ensures that the company is timely paid for its services. As the company grows, managing and tracking invoices belonging to different projects manually is impractical.
Nowadays, every business organization can be seen looking for high-end software solutions to increase the productivity and overall efficiency of their business operations. One such digital tool that has gained immense popularity
The world had started to, slowly but steadily, engage with the concept of digital learning and online exams long before the coronavirus pandemic came along and disrupted the education ecosystem across the globe.
The average time spent on smart devices daily has been increasing over the years. Mobile app development technology is continuously evolving and flourishing in this digital era. Thus, you have to keep up with the latest mobile app development trends.
For security-conscious companies, being compliant with industry-standard security policies is a top priority. Being in non-compliance with industry standards can result in fines. More importantly, it can lead to increased cyber-attacks on your company, employee data, and customer data.
As the world continues to evolve at a break-neck pace, the market has witnessed numerous changes. Among all these changes, perhaps none has proven to be quite as consequential as the emergence of e-commerce.
Tracking your employee's time is an essential component of many businesses. It enables business owners to accurately charge their clients for the time spent on their projects. Luckily, time tracking in the digital age is not a challenge anymore.