The cyber security industry is going through a boom similar to the explosion of new companies in the heydays of the early dot.com era. The increased demand for cyber security is driving the growth of vendors offering penetration testing services.
Part of this increased demand is government regulations, which requires certain industries to meet specific minimum cyber security requirements, such as penetration testing.
Whether businesses are inclined to invest in information security due to today’s cyber threat landscape or government regulations, its leaders are still faced with the task of choosing the right vendors.
When it comes to finding a pentest vendor, how do you know if you found a good one?
In an effort to help you out, we’ve assembled a quick list of what to look for in a penetration tester.
Look for technical capabilities
A pentester’s main goal is to exploit your network and you’ll need talented staff at the firm you’re hiring. This requires trained and experienced pentesters.
There are multiple certifications related to penetration testing that you should look for when vetting a potential vendor.
- CEH – Certified Ethical Hacker
- CISSP – Certified Information Systems Security Professional
- GPEN – Global Information Assurance Certification (GIAC) Penetration Tester
- GWAPT – GIAC Web Application Penetration Tester
- OSCP – Offensive Security Certified Professional
- OSCE – Offensive Security Certified Expert
- SANS GXPN – GIAC Exploit Researcher and Advanced Penetration Tester
Note: Offensive Security Certified Professional (OSCP), and Offensive Security Certified Expert (OSCE) certifications are particularly sought after because they are skills based. SANS GXPN is also respected.
In addition it’s a plus if the pentester had a background managing networks, systems or developing applications before moving into cyber security. This could prove particularly useful in red team exercises during a pentest.
A pure cyber security focus
Cyber security should be a primary focus of your pentest vendor. Hiring a consulting firm that occasionally performs pentesting won’t really cut it. You want a vendor who has significant experience providing penetration tests.
If cyber security is not a core offering of the vendor, you’ll have to question how security minded they really are and if they can properly perform a pentest.
A vendor that isn’t purely cyber security focused, will probably be insufficiently involved in the information security community to learn about what’s going on in the threat landscape. This can impact the way they deliver services.
A clear understanding of the difference between vulnerability assessments and penetration tests
Ask your potential vendor how their penetration testing methodology is different than a vulnerability assessment. Are they running a vulnerability scan and calling it a pentest or are they only using off-the-shelf tools to perform penetration tests? The reality is vulnerability assessments are a different service altogether, and off-the-shelf penetration test tools only go so far.
Remember, a pentester’s goal is to exploit your network so as to find new or hidden weaknesses to address that couldn’t have been found during a vulnerability assessment. As a result, you want the service to be custom tailored to your environment.
If the vendor can’t differentiate a vulnerability assessment from a penetration test, select another vendor. Fast.
It’s important to have a proper pentest because if you’re required to have one for compliance purposes, you’ll be in trouble if your vendor sold you a vulnerability assessment instead but thought they sold you a pentest.
If you’re paying for cyber insurance, you can also find yourself being denied coverage in the case of a breach if you stated you were in compliance for your industry. Virtually all compliance or regulatory schemes require pentesting.
When it comes to your environment, and your networks, you want to make sure you hire quality, capable professionals. In cyber security, you get what you pay for. Make sure you’re contracting the right people and protect your business critical digital assets.