Unquestionably, the Internet is a wonderful thing – it has opened up business links across the globe and given consumers competitive choice. However, now that you can buy products or services from anyone, anywhere, how do you know what you’re buying – and from whom?
This also applies to the field of cyber security. There are many different types of penetration test, as well as a great number of providers – employing many more security engineers, each with different a skill set and experience.
So it can be naturally hard to know what to look for, and how to compare different providers.
In this article, we’re going to talk you through some key things to look for when buying or comparing penetration testing services – to make sure you make the right informed choices.
In this article, we’re going to objectively run through some key things to look for when buying or comparing penetration testing services – to make sure you make the right informed choices.
This is one of the most common questions we get asked, and as the bare minimum we’d suggest OSCP and CISSP certification.
CISSP is long regarded as the gold standard of security qualifications. It draws from a comprehensive, up-to-date, global common body of knowledge that ensures security leaders have a deep knowledge and understanding of new threats, technologies, regulations, standards, and practices. It is based on the CBK (Common Body of Knowledge) which comprises eight subject domains that the (ISC)2 compiles and maintains through ongoing peer review by subject matter experts.
The OSCP is the Offensive Security Certified Professional certification, which is issued by the Offensive Security organization – the same organization that issues Kali Linux. The OSCP is the most well known enetration testing certification which requires a 24 hour exam to gain certification.
Once you’ve identified a selection of potential suppliers, make sure you ask them some questions about their penetration testing methodologies. In Australia some of the common testing methodolgies are NIST, OWASP, ISSAF.
The definition of penetration testing can vary widely between providers, and some will use qualified, experienced professionals using an array of up-to-date techniques to test your cyber defences – and at the other end of the scale, other providers might use automated software – which is actually a vulnerability scan.
This is very important, because the completed penetration test report, as well as any notes, will document how the successful hack was conducted. It’ll essentially be a really well-labelled treasure map guiding would-be hackers to your most valuable assets.
Ask how the report will be delivered, and in what format. Best practice is to deliver an encrypted copy of the report to restrict potential access to digital copies. It’s also very important that all data from the penetration test is encrypted once the assessment has been completed.
Is it easy to understand and is it freely available, at Siege Cyber we have our sample report on our main page and does not require you to enter your email address.
Each vulnerability or exploit on the report should be risk-scored, using a standardised framework, such as the Common Vulnerability Scoring System (CVSS), plus should contain a high-level non-technical summary, easily relatable to the unique nature of your organisation.
Remember, exposing security vulnerabilities is a good thing. It allows you to close the biggest security gaps, demonstrates diligence – and can help secure security budget allocation. So including a non-technical summary is highly desirable.
Look at how they deal with remediation – it should be clear and actionable, with next steps outlined for each vulnerability uncovered.
The report should strike a balance between being easy-to-read – for non-technical senior leadership – as well as containing the necessary technical information for use within your IT department.
Make sure that the provider has taken the time to listen to what you want to get out of the test.
Very rarely do organisations commission penetration testing without some idea of what they need. It might be that you’re launching a new website / web app, your IT infrastructure has changed recently, or your business has made a recent acquisition. You certainly wouldn’t want to compromise your existing perimeter defences if you plan to integrate a new network.
Look for detailed testimonials, and if you’re still not sure, ask to speak to a previous client.
Most companies would be glad to let you speak with a happy customer, to talk through their experiences and give you additional reassurance. If you’re using any industry-specific systems and software, does the organisation you’re looking at have prior experience working within those industries?
It is best practice to periodically rotate your pen testing providers, or at least ensure you are using a different pen tester within the organisation. Individual penetration testers have different skills and strengths, and can also become stale if they already know the intimacies of the infrastructure. New exploits, techniques and tools become available all the time, so it is important that a pen tester works hard to constantly stay current.
7 points to consider when you’re looking to procure penetration testing services. Given pen testing forms such a vital part of an ongoing vulnerability management strategy, you need to be confident that they’ll uncover the most critical vulnerabilities that could be lurking within your organisation’s environment.
I’m co-founder of Siege Cyber and passionate about Cyber Security, Hiking and Mountain Biking. I’ve been working within Cyber for the past 20 years and most of thoses years as a penetration tester. As a penetration tester I’ve tested some of the biggest companies in Australia before branching out and starting Siege Cyber. Siege Cyber was created to be an Australian owned and operated bespoke cyber security firm focusing on helping our customers secure their organisation and stay up to date with their compliance requirements listed in PCI-DSS, GDPR, ISO 27001 and others.
Happy to chat, happy to help.