You cannot fix a problem that your organization does not know about. And penetration testing lets you know the real capabilities of your cybersecurity system by simulating attacks just like real hackers would. This is the main goal of the penetration test: to increase the security and resilience of the enterprise to possible risks associated with cyber threats.
So a penetration test is not something you do for show. And it is important to treat this procedure with maximum responsibility. Before choosing a penetration testing provider, you first need to determine your basic testing requirements, goals, and budget. And then you can move on to choosing a company for pentesting.
In this article, we will walk you through what to look out for when choosing a penetration testing service provider, as well as provide you with a list of questions to ask.
Choosing a penetration testing company: 7 practical tips
1. Learn about the experience of the company and engineers, check the reputation
It is very good if the pentester team has extensive experience in different industries, with different companies, and understands a large number of penetration testing scenarios. The more diverse experience the team has, the easier it will be for them to adapt to your specific conditions, business specifics, technologies, etc. It is also obvious that if your organization operates in the financial sector, for example, pentesters should have working experience with similar companies.
As with other services, you should choose pentesters with a proven track record. Look for testimonials, or contact clients who have worked with these pentesters before. Find out any available information just as you would with any responsible purchase.
2. Make sure the company has the appropriate certifications
There are many penetration testing certificates that confirm the qualifications of pentesters. One of the most known is called Certified Ethical Hacker (CEH). To obtain this certificate, you must pass a 4-hour exam, which consists of 125 questions. There are also more advanced certifications, such as the Offensive Security Certified Professional (OSCP). To get it, you must pass a 24-hour exam, where candidates must use their practical skills. Another certification — Certified Information Systems Security Professional (CISSP) — one of the most valuable certifications in the industry. To obtain it, you must pass a 6-hour exam by answering 250 questions. The minimum experience requirement is 5 years.
We also draw your attention to the fact that ESKA experts hold all of the above certificates.
Below are some of the other certificates:
- Offensive Security Web Expert (OSWE);
- Burp Suite Certified Practitioner (BSCP);
- Certified Expert Penetration Tester (CEPT);
- GIAC Web Application Penetration Tester (GWAPT) and GIAC Penetration Tester (GPEN);
- CREST Certified Infrastructure Tester (CREST CCT) and CREST Registered Penetration Tester (CREST CRT);
As you can see, in the cybersecurity industry there is no universal qualification certification system. And in your decision, you should always look back at the real skills and experience of pentesters, as well as take into account the complexity of the projects they have already completed.
3. Learn more about what methodologies the provider uses and how the testing process is carried out
There are many methodologies for pentesting. Methodology is a set of interconnected methods and techniques. And methods are specific ways or tools. Typically, experienced pentesters are proficient in several methodologies.
For example, ESKA experts use the following methodologies: OWASP, OSSTMM and MITRE ATT&CK.
In short, these methodologies are as follows.
- OWASP (Open Web Application Security Project) — a formalized and structured methodology that governs almost all aspects of penetration testing, with a focus on pentesting computer networks;
- OSSTMM (Open Source Security Testing Methodology Manual) — a methodology narrowly focused on pentesting web applications, describes the pentest process in detail;
- MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) — in general, not so much a methodology as a knowledge base that contains a description of the tactics, techniques and attack methods used by hackers.
- Information System Security Assessment Framework (ISSAF);
- Penetration Testing Execution Standard (PTES);
- NIST SP800-115.
Also find out the details of how the pentest process itself goes and what phases it includes. You need to know for sure that in addition to the automatic test (vulnerability scanning), pentest also contains manual testing according to certain methodologies. In this way, you can assess the maturity of a company that provides penetration testing services.
4. Find out how the company protects customer information assets
In addition to the knowledge and experience of pentesters, it is also important for you to learn about the mechanisms that the company uses to ensure the reliability of its employees and protect customer assets.
That is, establish whether background checks are carried out when employees are hired. Since these people will have access to your inside information, possibly some trade secrets, financial information, etc.
In addition, you must be sure that the company you use for services will properly take care of the security of your data. Learn about how your company’s information assets will be transferred, stored, and disposed of. Also ask if the penetration testing provider itself has ever been hacked.
5. Flexibility and time
Another important factor is time and flexibility in work. The best specialists will always find an opportunity to meet with you and study your business. In addition, you need to understand exactly what time frame the entire penetration test will fit into, and when pentesters will be able to start working.
Usually the speed depends on the complexity of the test itself. And the preparation time varies from several days to several weeks. In some cases, even several months. All this you should take into account in your planning.
Also keep in mind that the pentest service provider who has given you the most clarity about the course of action will be the easiest to deal with.
6. Get an example of a report or its scheme; find out what is usually included in the list of the report after pentesting
Experienced pentesters can not only be effective in hacking systems, but also in analyzing and systematizing the results. That is, you should make sure that in the end you get a clearly articulated conclusion and a report on the work done.
It is highly desirable that this report contains:
- General conclusions indicating the level of cybersecurity of the system, as well as a description of the elements that require immediate solutions.
- Technical details, a description of the steps that were taken to identify the vulnerabilities.
- List of discovered vulnerabilities and their exploits.
- Analysis of vulnerabilities: which ones are critical and require immediate attention, and which ones are minor and can wait.
- Annexes, screenshots, details that could fill the report with context and clearly demonstrate which specific assets were accessed.
- Recommendations for optimizing protection, assessment of the required financial and time investments; temporary and long-term solutions, description of technologies to be implemented, etc.
In general, a pentest report should be understandable to non-technical people, such as managers and company executives, so that they can get a general idea of the strength of cyber protection, as well as problems, risks and threats.
And at the same time, the document should contain enough details so that your IT specialists can use this information in their work: a detailed list of vulnerabilities and exploits, recommendations for fixing, etc.
7. Ask about the possibility of retesting, as well as support and assistance in implementing the recommendations from the report
If you are interested in long-term support for cybersecurity experts, be sure to discuss this issue. Since retesting is critical, because only in this way can you be sure that the measures and recommendations for fixing vulnerabilities have been successfully implemented by your IT specialists.
Usually reliable penetration testing companies are always interested in having loyal customers and include the possibility of repeat pentesting in their sales proposals. This contributes to long-term partnerships, establishing a favorable reputation, and expanding business.
And at the same time, the experts who will work with you on an ongoing basis will be intimately familiar with the nuances of your business, as well as the technologies you use. Accordingly, the efficiency of their work will be higher, as well as the level of cybersecurity of your company.
Questions to ask your penetration testing provider
- What experience does the company have?
- What certificates do pentesters have?
- What companies have you already worked with?
- In which countries do employees work?
- How do pentesters keep in touch with each other?
- How is the recruitment process?
- How is a penetration test carried out, what stages does it include?
- What methodologies are used for pentesting?
- What part of the pentest is automated and what part is done manually?
- Will the company be able to continue operating during the pentest?
- Who will have access to confidential information?
- How will company data be stored?
- How will company data be shared?
- How will the data be disposed of?
- Has the service provider ever been hacked?
- How long will it take to prepare for the pentest?
- How long does a penetration test take?
- What details does a pentest report contain?
- Are there examples of reports?
- Is it possible to count on long-term cooperation and support?
Please note that this list of questions is not exhaustive. Remember also that close communication with the penetration test service provider, both verbal and written, will help you ensure that your security goals are met.
It is clear that penetration testing is one of the key components of protecting companies’ information assets. And whether you are pentesting your company to meet some industry regulation or improving your security system, it is important to make sure you choose the right provider for your needs.
If you need help in conducting a network or web application penetration test, we are ready to offer it. Contact us today to learn more about how we work and the results you will get. Ultimately, by working with ESKA, you will be able to provide the best cybersecurity for your organization or product.