Penetration testing has become an essential for businesses looking to maintain a robust cybersecurity posture. But if you are commissioning a test for the first time, then you have the challenge of choosing the right provider.
Pen testing is a very specialist skill requiring qualified, knowledgeable professionals so it’s important you feel confident in the individuals that you trust to perform an assessment.
After all, you could well be required to provide a tester with access to sensitive systems and data. Here are some of the key questions that you need to ask a pen test provider in order to make the decision-making processes as stress free as possible.
Do they have relevant certification?
It is vital that you trust your pen test provider to complete work to the highest technical, legal and ethical standards. The first thing that you need to look to obtain the reassurance you need, is whether the provider is fully trained and qualified in the services that they offer.
Look for pen test providers that are CREST-accredited and employ ethical hackers that possess a range of professional certifications. This will not only help to demonstrate that they have good knowledge of the latest hacking techniques but can be trusted to conduct assessments safely, without damage and disruption to your systems.
Can they perform a wide variety of tests?
It should be noted that there are many different types of penetration testing. Most businesses require a range of different tests to identify internal and external exposures, as well as those specifically related to networks, systems and applications.
This means that you will benefit most from a team of pen testers that have the skills and experience to conduct a wide range of assessments. This includes whitebox, blackbox and greybox testing. Some pen test providers rely heavily on automation to conduct assessments, so it’s important to ascertain the level of manual testing that will be performed as part of an assessment.
A pen test is not always about identifying lots of low-level vulnerabilities, rather more high-risk ones that scanning tools are unable to detect.
Do they have a good track record?
An experienced pen testing provider will have a good reputation in the cybersecurity field so it is a great idea to check whether the business can supply a range of client references and testimonials from organisations similar to your own.
If a provider cannot show proof that they have carried out a high standard of work for other businesses, then walk away. You shouldn’t settle for low quality work when there are many reputable providers available.
Do they have specific industry knowledge?
It is vital to establish whether the provider has experience of working with organisations in your particular industry, as this can influence whether they are capable of performing thorough testing.
For example, how familiar is a provider’s testers with specific software or applications that are commonly used in businesses like your own? Are they aware of the risks of testing specialist infrastructure, such as those used in the financial, healthcare and manufacturing sectors?
Do they report and provide feedback?
When talking with a provider, it’s important to establish not only how the penetration test is going to be conducted, but also what type of feedback you will receive and how it will be communicated. Many testers are capable of carrying out testing but will not always provide the level of feedback you need to prioritise and address any risks identified.
You should choose a provider that will deliver a comprehensive post-assessment report suitable for both technical and non-technical stakeholders. Always ask to see a sample.
Are they flexible?
Given that penetration testing is likely to involve testing important systems and infrastructure, you need to ensure that you choose a pen testing provider that is flexible to business needs. For instance, can testing be performed both on-site and remotely, as well as out of regular office hours.
Do they offer a free retest?
Finally, consider what happens after your penetration test. Your business will likely need to take steps to address vulnerabilities identified but how do you know if these measures are effective? Too many businesses take steps to resolve the issue, but never validate the results of the changes, meaning that they may not work in a real attack.
Always ask a provider if it offers the option of a free re–test to help achieve confidence that any changes you make are effective.
About the Author: Chester Avey
Chester Avey has over a decade of experience in cybersecurity and business growth consultant. He enjoys sharing his knowledge with other like-minded professionals through his writing. Find out what else Chester has been up to on Twitter: @Chester15611376.