Unquestionably, the Internet is a wonderful thing - it has opened up business links across the globe and given consumers competitive choice. However, now that you can buy products or services from anyone, anywhere, how do you know what you’re buying - and from whom?
This also applies to the field of cyber security. There are many different types of penetration test, as well as a great number of providers - employing many more security engineers, each with different a skill set and experience.
So it can be naturally hard to know what to look for, and how to compare different providers.
In this article, we’re going to talk you through some key things to look for when buying or comparing penetration testing services - to make sure you make the right informed choices.
In this article, we're going to objectively run through some key things to look for when buying or comparing penetration testing services - to make sure you make the right informed choices.
What credentials should you look for?
This is one of the most common questions we get asked, and as the bare minimum we’d suggest ISO27001 and CREST certification.
The ISO standard means the organisation has been officially audited and their information security procedures match best practice as published by the International Organisation for Standardisation, and since publication in 2013 it’s become a requirement for anyone bidding for public sector contracts, as well as enjoying widespread take up in the private sector.
CREST-certification by contrast, is a lot more specialist, and is used by both individuals and organisations providing penetration testing, cyber incident response, threat intelligence and Security Operations Centre (SOC) services.
By looking for a CREST-approved provider, you’ll be safe in the knowledge that they subscribe to latest industry best practice, and you’ll also have the backup of an enforceable Code of Conduct should anything go wrong.
Take a look at key methodologies
Once you’ve identified a selection of potential suppliers, make sure you ask them some questions about their penetration testing methodologies.
The definition of penetration testing can vary widely between providers, and some will use qualified, experienced professionals using an array of up-to-date techniques to test your cyber defences - and at the other end of the scale, other providers might use automated software - which is actually a vulnerability scan.
Understand their security precautions
This is very important, because the completed penetration test report, as well as any notes, will document how the successful hack was conducted. It’ll essentially be a really well-labelled treasure map guiding would-be hackers to your most valuable assets.
Ask how the report will be delivered, and in what format. Best practice is to hand deliver a hard copy of the report, to restrict potential access to digital copies.
What does their sample report look like?
Is it easy to understand?
Each vulnerability or exploit on the report should be risk-scored, using a standardised framework, such as the Common Vulnerability Scoring System (CVSS), plus should contain a high-level non-technical summary, easily relatable to the unique nature of your organisation.
Remember, exposing security vulnerabilities is a good thing. It allows you to close the biggest security gaps, demonstrates diligence - and can help secure security budget allocation. So including a non-technical summary is highly desirable.
Look at how they deal with remediation - it should be clear and actionable, with next steps outlined for each vulnerability uncovered.
The report should strike a balance between being easy-to-read - for non-technical senior leadership - as well as containing the necessary technical information for use within your IT department.
Have they listened to your needs?
Make sure that the provider has taken the time to listen to what you want to get out of the test.
Very rarely do organisations commission penetration testing without some idea of what they need. It might be that you’re launching a new website / web app, your IT infrastructure has changed recently, or your business has made a recent acquisition. You certainly wouldn't want to compromise your existing perimeter defences if you plan to integrate a new network.
Look for detailed testimonials, and if you’re still not sure, ask to speak to a previous client.
Most companies would be glad to let you speak with a happy customer, to talk through their experiences and give you additional reassurance. If you’re using any industry-specific systems and software, does the organisation you’re looking at have prior experience working within those industries?
Have you worked with them before?
It is best practice to periodically rotate your pen testing providers, or at least ensure you are using a different pen tester within the organisation. Individual penetration testers have different skills and strengths, and can also become stale if they already know the intimacies of the infrastructure. New exploits, techniques and tools become available all the time, so it is important that a pen tester works hard to constantly stay current.
Can they offer remediation services too?
This one is more personal preference. Some organisations will tell you how they breached your system and then also offer consultancy services to fix the holes in your security, and others will simply stop at outlining how they did it. From a buyer’s perspective, some prefer to continue using a trusted supplier to provide security remediation services, and others would rather contract a third party.
The theory behind the third party option is that if the same company manages your security and also conducts your pen testing for you, it can be a little like marking your own homework. There can sometimes be a degree of self-interest - but not always.
So there you have it!
8 points to consider when you’re looking to procure penetration testing services. Given pen testing forms such a vital part of an ongoing vulnerability management strategy, you need to be confident that they’ll uncover the most critical vulnerabilities that could be lurking within your organisation’s environment.
> View a FREE sample Penetration Test report
Take a look at a sample risk-based report to understand the approach, critical security intelligence and actionable steps with our CREST-certified penetration tests.
- Types of penetration test - what’s the difference?
- Questions to ask your pen test provider
- On-demand webinar: The difference between endpoint protection and traditional antivirus
- The difference between a Vulnerability Scan and a Penetration test
- Pros and cons of outsourcing your Cyber Security - In-house, or Managed SOC?
About Comtact Ltd.
Comtact Ltd. is an award-winning specialist Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.