GRC Viewpoint

Top 10 Things to Look for in a Pen Testing Vendor

Many organizations are required by law to adhere to regulations or industry standards (for example, NIST, CMMC, PCI DSS, GLBA, HIPAA, SOC 2, ISO 27001, etc.) that include the use of security assessment techniques like penetration testing (aka, “pen testing”) as a component. Other organizations want to be proactive and find the “open doors and windows” through which bad actors will try to compromise their information systems. According to the InfoSec Institute, “As cyber threats continue to grow, so does the need for competent Ethical Hacking and Penetration Testing professionals.”

Why Should You Acquire Pen Testing Services?

The goal of a pen test is to improve client security by providing risk information. Automated scans can only detect so much when it comes to security vulnerabilities. No one has successfully automated all the variations of testing that an expert human can perform. If your organization is not aware of its vulnerabilities, it cannot effectively mitigate the associated risks through appropriate security measures—at least not without the risk of overspending on solutions you may not need. So what should an organization consider when choosing the a pen testing provider?

The Top 10

  1. Certs and Experience

When considering a potential pen test vendor, a high priority should be to find one that hires trained and experienced pen testers. Ideally, one or more team members will hold at least one of the following industry-recognized professional certifications: GPEN, CEH, SANS GXPN, GWAPT, OSCE, or OSCP. You should also ask what type of experience the company looks for when hiring, and possibly what type of training and development is provided or required of pen testers. At the end of the day, pen testing exists to make the company better, so client-facing pen testers that can appear on a video call and politely, helpfully and proactively engage and recommend is a big deal!

  1. Safety is critical

It is also important to inquire about the mechanisms employed by the company to ensure its testing team is trustworthy; that the dangers to your organization posed by interaction with your systems is limited. Does the vendor require background checks for its employees? Does a company have policies in place that address tools and techniques for reducing risks of systems being overwhelmed or data being altered?

  1. Methodology Visibility

When contracting with a penetration testing service provider, organizations should seek vendors that provide a clear statement of work that highlights tools and methods employed, testing limits, time of engagement, privacy concerns, and reporting expectations. Insist on the right alignment with your organization’s needs, such as requiring clear recommendations for remediating any flaws identified.

  1. Statement of Work Documentation

In the same vein as expecting openness from your vendor about its policies and procedures, it’s also important to insist on the use of a Rules of Engagement (ROE) document that both parties sign. This document should focus on clarity about testing expectations. You should ensure it defines a clear time period for the testing. Also, be sure to define what systems and/or data will be declared “off limits” during testing. Identify the turnaround time for testing and deliverables that will be acceptable for your organization. 

  1. Latest Techniques

There are many approaches to penetration testing, and some pen testing companies become stuck in testing for older, well-known types of flaws; while it’s important not to neglect testing for those types of issues, the technology field is constantly changing, growing, and increasing in complexity. Does the vendor have the knowledge to test for flaws in cloud hosting environments, highly integrated systems, new identification and authentication solutions, etc.? Verify that your vendors are also using the newest commercial penetration testing tools and techniques in their assessments.

  1. Data security

Ideally, the vendor will be up front about its data handling practices and what laws and regulations it follows in that regard, but if it is not specifically addressed you should not assume or take it for granted. Before entrusting sensitive data to the external entity it is important to specifically inquire about the handling of data: how is data transmitted, stored, and disposed of by the vendor? What is the data retention policy? Has the company ever suffered a data breach and, if so, what has been done to ensure it never happens going forward? Does the vendor maintain cyber liability insurance that will cover damages for customers?

  1. Reconnaissance

A pen tester should never stray outside of the approved scope for a pen test, but the areas they should be testing should receive comprehensive attention. Many pen testers will focus on only reconnoitering the lowest hanging fruit on the network and will consider the test complete as soon as a high-risk flaw is identified—leaving much of your network untested. Verify that the company will include a robust flaw enumeration phase in its testing, even if there is not enough time or resources to cover complete testing of every flaw. Also, the best pen testing companies provide remediation testing as part of the engagement, testing the vulnerable systems again after you’ve had time to remediate flaws identified to validate remediation was successful.

  1. Reputation

Just as you would when looking for any vendor, the reputation of your candidates for pen testing services should be verified through third parties and in the marketplace as much as possible. Find companies with a proven track record and with a strong reputation for quality and value. You can check references, check consumers’ reports, and possibly even reach out to prior customers.

  1. Specialization

It’s not necessarily a bad thing if a pen testing company promotes its ability to take on testing of any possible environment and use case; however, if you have unique technologies in your architecture or use cases for your systems that merit detailed investigation and testing then you should ensure the contenders for your business include those that have specialization in testing those technologies or processes. It is important to discuss early on what varieties of systems, software and architecture the pen testers will have to test and ascertain the levels of experience the pen testing company can demonstrate with the same—or at least similar—targets.

  1. Beware of highly-technical jargon

Pen testing is a specialized field by its very nature, but the best pen testing companies make the core concepts of testing understandable for any member of your organization. They will not leave you wondering after a meeting or after reading a document provided what, exactly, they will be doing at each stage of the engagement. The vendors should be able to communicate difficult concepts in ways that even non-technical executives can appreciate and use to take appropriate actions. Ask for sample reports, evaluate how well they answer your questions, and pay attention to the use of jargon as a crutch to cover the vendor’s inadequacies. Seek clarity and avoid those vendors that rely on smokescreens.

Conclusion

Penetration testing is without doubt a critical component of securing your information resources. Whether motivated by regulatory compliance or out of a desire to be proactive and avoid losses, contracting for pen tests on a regular basis is a leading practice for all modern organizations. Pen testers will help you identify your organization’s weaknesses using the same methods as attackers. With such high risk associated with information security, examining the areas discussed above will help you choose the right vendors.

By Greg Johnson, PCIP CEO Webcheck Security

Related Articles

Latest Articles