What to Look for in a Penetration Testing Provider
Finding the right penetration testing partner is critical. A third-party penetration tester can serve as a new set of eyes. They can give an unbiased review of your environment’s security, as well as provide fresh ideas for securing it. Engaging a partner also makes sense from a staffing perspective. With the right provider at your side, you can ramp up and down as testing needs vary, and have access to skilled penetration testers with diverse areas of expertise.
Keep these questions in mind as you evaluate and select your penetration testing provider.
Can the partner meet your business goals?
Before identifying a penetration testing provider, ask yourself what your company’s specialties are, and take stock of your business goals. Instead of trying to shape your goals to a provider’s services, identify and vet them based on how they can serve you.
This analysis starts with asking concrete questions, like identifying what industry your business is in, and what technologies you use. Vetting potential partners based on their relevant experience with businesses like yours is a helpful beginning.
However, these can expand to broader questions about how the penetration testing is supposed to fit into longer-term goals for your company. For example, if your business is concerned about auditing and deadlines, their experience with relevant audit frameworks will be important, as will their ability to ramp up testing activity quickly to fit remediation and auditing timelines. On the other hand, when considering a penetration test for a new critical infrastructure build, you may want to evaluate with a focus on comprehensiveness, given the limits on future opportunities to test critical infrastructure. No matter what those longer-term goals are, identifying them early in the process will help you identify someone who can satisfy them.
How well do they keep up with the fast-moving security landscape?
As your business begins to use new technologies, you need a penetration testing partner who actively expands its knowledge base to keep up. One of the reasons for regular penetration testing is to test whether your infrastructure or software is vulnerable to newly discovered exploits or attack techniques. You will only find that out if your penetration testers learn new techniques well enough to apply that knowledge in tests and provide solutions moving forward.
Barring audit requirements that may require penetration testers to have specific certifications, it is more important to determine how a penetration tester values ongoing learning and research than it is to vet specific certifications. After all, even if a company has people with specific certifications on staff, they may not always be the people who work on your engagement, or the people who specialize in your industry or your suite of technologies.
To learn how dedicated a company is to their penetration testers’ continued learning, find out whether they actively contribute to the security community. This work can come in a wide variety of forms. The technical blogs, podcasts, webinars, and security conference talks published and released by a company’s penetration testers can give you an idea about the research they are doing to stay current and deepen their toolkits. In addition, if many of their penetration testers actively release security content, it also tends to indicate that their company supports their ongoing research and learning.
What are their processes and methodology?
By asking about their processes and methodology, you can assess whether a penetration tester’s work aligns with industry standards and your own goals.
You can learn a lot by asking what tools they use. Do they focus on an automated tool, or a small range of them, and then validate the findings of those tools? Such work has a place in a security plan but is more aligned with vulnerability scanning than penetration testing. On the other hand, if they discuss a broader range of technology-specific and protocol-specific tools as part of a comprehensive reconnaissance and penetration process, that may indicate a good fit.
It also makes sense to ask a prospective penetration testing partner how they respond when a client has a technology they do not yet have experience with. Often businesses evaluate and implement newer technologies that need to be tested. Being able to assess those newer platforms requires a partner willing to read the manual, read existing security research about new technology, think critically about it, and expand their skill set.
Much like the previous discussion about technical publications, finding out their processes when confronted with new technology is another way to vet how a penetration tester stays at the leading edge of penetration testing. Ask them how they would handle a new platform or technology. See how specific they get. If they say they can do it but don’t delve into specifics, that may raise questions. If they get into more detail about their procedures for testing new technologies or can provide relevant case studies, that is good evidence the company has meaningful experience penetration testing emerging technologies.
Concern about processes goes beyond the technical realm, as well. It also embraces questions of project management and communication. Knowing how a penetration tester manages their projects will shed light on how much structure they have and how well their project management methods will work with your company’s structures and teams. Knowing how they communicate with their clients about their tasks, needs, and timelines can build confidence that they will work as a partner.
How informative and trustworthy is their reporting?
Reporting helps make a penetration test actionable and helps strengthen the trust between client and provider. It should be professionally created and edited, and should accurately reflect the penetration testing activities, findings, and recommendations for how to improve the company’s security in light of those findings.
Also, before engaging a penetration tester, be sure to get sample reporting for multiple audiences. For example, board-level reporting about the state of the cybersecurity program differs from reporting focused on developers who are creating and fixing software. Ensure that a penetration tester can provide clear reporting that the necessary parts of the company can understand and act upon.
Are they solution-minded?
Though accurately vetting a penetration tester’s culture is not easy, thinking critically about what they discuss in their materials and in your scoping conversations goes a long way. Are they holding fast to a rigid mode of analysis, or are they asking questions about your business in order to know what matters to you and evaluate findings in light of your specific risks? Are they talking about all the problems they are going to find, or are they talking about finding solutions to your problems?
After all, the goal of a penetration test is not just to break things — it is to manage risk in your business. Diving in and finding a full range of ways to exploit vulnerabilities is part of it, but they also need to be there to show how to put it back together in a way that strengthens security and reduces the risk of later attacks. They need to have a collaborative relationship with your developers, IT staff, and security staff. That way, they can enable secure solutions and innovations.
Learn more about Security Compass
When you are ready to talk about enterprise penetration testing, Security Compass is ready to listen. Our collaborative approach is central to everything we do, and we take pride in our constant learning and actionable reporting. Learn more about our full range of enterprise penetration testing services, and contact us to schedule a conversation.