Okay, you've decided. You've seen statistics of annually increasing security breaches. You assessed your risks and had got your heart in heels having realized the financial losses if any security disaster would occur (knocking on wood!). You more or less defined the scope and calculated how much of the company budget you're ready to spend on a pentest audit. The last step is to choose the right provider. Selecting the best penetration testing company can be compared to choosing the right summer camp: those people are going to take care of your "child"! You expect them to be professional, gentle and want your "kid" come back safe and in better health!
Here are some recommendations to stick to at picking the best penetration test vendor.
You might ask here "And why does it matter? I'm not looking for a company on Friday evening, I'm searching for partners!" Yes and no. Look at this from the perspective of trust: those guys will sift through your system assets to make in-depth assessment about their state. They may find out gaps where you least expect and you don't want to get blushed and confused. Search for professionals but those who you are not embarrassed to open your system secrets.
Recalling the comparison with summer camp selection, get real: you want to trust your system to people who are certified and have experience with dealing with such troubled "kids". Reliable penetration testing companies strive to attract the best security experts. That’s why during the interview feel confident asking for certificates and documents that can prove security expertise.
For example, CISSP (Certified Information Security Systems Professional) asks from its candidates to have at least five-year work experience in two or more of CISSP domains and a relevant degree.
Be sure to ask a provider who of their pen testers will conduct penetration testing of your system, and make sure that he or she is really professional in their field. If you are not provided with such information, or it is highly questionable, think twice before using the services of this company.
No jokes, security is the real deal.
Proven methodologies and industry recognized bodies should be team's wheelhouse. Security experts should know their stuff from basics. Professional pen testers are expected to strictly follow the ethical code, analyse the latest security trends and give security conference presentations.
They should plan their work in strict compliance with professional ethics and regulations stated by internationally recognized security agencies, for instance, OWASP (Open Web Application Security Project Testing Guide), PTES (Penetration Testing Execution Standard), NIST (Special Publications 800-115 Technical Guide to Information Security Testing and Assessment), OSSTMM (Open Source Security Testing Methodology Manual), ISSAF (Information Systems Security Assessment Framework), WASC (Web Application Security Consortium Threat Classification).
Penetration testing, alike vulnerability scanning, isn't about bare search for vulnerabilities. The test procedure should be followed with a comprehensive and detailed report written in a manner non-tech personnel would be able to get into the nitty-gritty of company security defence.
The proper result of a penetration test report obligatorily must include such parts as:
Social recognition helps at making decision whether it's a yoga studio or a sushi restaurant. Humans tend to choose things that are socially approved, and that's why don't hesitate to ask for the company's testimonials or case studies similar to your domain.
Remember that selecting a penetration testing provider has long-term results.
The right team become your partner in crime - crime that prevents cybercrime against your system.
A good example of such a company - Dhound Penetration testing. We understand hackers' nature, but had chosen to play on a bright side and fight for secure Internet space.
No time to wait — let’s get things done!