A common question is why should we get a third party penetration testing company? Why not choose a team from your current technical group to handle the network security test? For one, security audits like traditional financial audits are better done by outside companies with no bias and partiality to anyone or anything within your organization. Another reason to hire a security testing company is that one may find it difficult to hire and retain Penetration Testers.
# Tip 1: Evaluate technology achievements of the vendor
Good indicators of vendor’s technology competency are:
- Does the vendor have proprietary tools and technology?
- Is the vendor known and respected in security research community?
- Has the vendor published original technology research in the Penetration testing or Vulnerability Research domain?
- Is the vendor involved in vulnerability disclosures in known products/applications?
# Tip 2: Focus on the vendor’s real knowledge and not just on certifications
If you focus too much on individual certification, you will end up eliminating many good top-notch penetration testers. As an industry, penetration testing has not reached consensus on a meaningful certification framework. So, while large companies encourage individuals to get certifications, this over-emphasis is one the reasons why strong penetration testers are attracted to specialized penetration testing company because they place value on individual skills over industry certifications.
Tip# 3: Evaluate the company’s trustworthiness and dependability
You would be allowing them access to your system, customer information, sensitive company research, insider memoranda and other confidential matters. You will also let them into the backbone of your company’s operations. You would need to be sure that they can be trusted with the data you have. You can look at their previous list of clients and their overall reputation. Talk to competitors and friends alike and ask for recommendations on which penetration testing company to consider and call. More importantly talk to your potential vendor and ask a lot of questions. These might be hypothetical or real questions regarding their systems. You can gauge their level of competence through their responses.
- How is data stored? Do they keep it in laptops?
- What is the security policy of the organization?
- What is the hiring process?
- What are the insurance processes?
- What are the indemnity and liability clauses?
(Read more: Changing landscape of IT security)
Tip# 4: Consider Cost vs. Frequency advantage
Gartner recommends “Penetration Testing carried our regularly is the only way to be one step ahead of hackers”. However with the conventional manual approach this is too costly. Different testing companies levy different fees on their security audits. It is best for you to lay down what kind of penetration testing you need and get quotes from specific companies. Organizations without scalable technology to provide recurrent scanning are normally 30-40 times more costly than organizations that do have a similar feature. It is not enough to conduct one in-depth test a year! You need to find a healthy balance between in-frequent high quality tests and frequent low quality tests.
- Will you be able to test during every release cycle or during every change within your budget?
Tip# 5: Seek penetration testers (Specialists) and not Generalists
There are many penetration testing companies who can be impressive in discussing attack vectors, the associated impacts, root causes, and remediation. They may also have their favorite case studies and illustrate each type of vulnerability in common speak. But they may not have the real expertise in front of the keyboard. The simple question which may help you to identify them is: “How specialized is the penetration testing company? Do they deliver this particular service 30% of the time or 60% or 100%?” Good penetration testers are a rare breed. When it comes to testing your network or application, you need a great penetration tester and not a great boutique firm.
(Watch more : Attacks on Smart TV and Connected Smart Devices)
Tip# 6: Check the “Process” along with Pen Tester’s resume
It is true that the man is more important than the machine in case of Penetration Testing. So checking out the resume of the individual is important but the process of testing is also very critical. Check out some of the following:
- Do the vendor use any defined process, checklist or methodology?
- How do they remove false positive?
- How many classes of testing is covered? What is the percentage coverage?
- How are the complex multi-stage attacks covered?
- Which tools are used?
- What is the exploitation process? How do they ensure that it is safe?
- What is the turnaround time?
Tip# 7: Flexibility and Turn Around time
You need to check how flexible is the vendor to meet your flexibility requirement in terms of testing during the favourable hours as per your need. Sometime your business may need testing during the business off hours.
- Can the vendor support off business hour testing?
- How much time in advance do you need to notify for a test?
- What is the turnaround time for each test? Does that meet your business need?
Tip# 8: Can the vendor scale up to meet your peak demands?
You need to check what could be your peak requirement. If you have 10 applications and all of them need tests to be conducted together, can your vendor test all of them in parallel?
- What is the peak testing capacity of the vendor?
- Can their infrastructure and team support the peak requirement of yours?
- How many people do they have? How many are kept free to meet elastic or on-demand needs?