When looking for a penetration testing provider, you’ll want to be confident that the partner you choose can deliver a thorough test, will be responsive to questions/requests and can tailor deliverables to your needs. A good penetration testing provider will also ask the right questions and will be able to help you with defining the scope of testing.
In this blog we’ll cover some items you may want to consider when looking for a penetration testing partner so that you’re getting the most value from the engagement.
Understanding their Testing Methodology
It’s important to understand the methodologies followed by the penetration testing provider and what standards they follow. Does their testing cover the OWASP guidelines or the NIST framework? Are they using manual techniques and tools as well as automated? You should also make sure that the tester will provide more than a simple vulnerability scan of the in-scope targets and can explain their testing process.
Ensuring They Have the Required Accreditations
Ensure that the penetration testing provider has the required accreditations, not just as a mark of quality but also where a stakeholder mandates that the provider must hold certain credentials. In the UK, government organisations and certain private sector stakeholders will require suppliers to have a penetration test carried out by a CREST-accredited provider.
You may also consider the knowledge and certifications of the testers. Do they have previous experience delivering the type of testing you require? Some of the most well-regarded penetration testing certifications include the OSCP, GIAC GPEN and CREST CPSA/CRT/CCT (although there are many great testers with no certifications at all).
Understanding the Deliverables
Not all penetration testing providers will offer the same set of deliverables and it’s critical that you are able to compare what you are receiving for the cost of the engagement. All providers will deliver a penetration testing report after testing has concluded but some other things to consider would be whether retesting (to confirm that any vulnerabilities discovered have been successfully remediated) is included and what level of support is available after testing.
Ultimately you need to ensure that the penetration testing deliverables meet your needs. Perhaps you require a summary version of the report or a certificate of penetration testing to share with stakeholders. Establishing what’s included at the outset will save you the awkward conversations and potentially cost further into the engagement.
Key Questions to Ask:
- What sort of methodologies does the provider use during testing and does this include manual testing?
- What accreditations do the providers have? Does this meet the requirements of stakeholders?
- What will the penetration testing report include?
- Will a summary report or certificate be provided at the end?
- Will retesting be included as standard?
- What updates will you receive during testing?
- What availability does the provider have? Does this align with your timelines?
Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing and Cyber Essentials/Cyber Essentials Plus assessments. What makes us different? We combine expert cyber security with great customer service and value for money. Please contact us if you’re interested in a free consultation.