Many organizations choose a penetration testing company based on cost and cost alone. Don’t. The information in this article serves as a guide to help you choose the right penetration testing partner for you and your organization. If you are short on time, go directly to the end of the article and at least ask those questions.
What is penetration testing?
I think it is safe to assume that there are many different interpretations and expectations of what penetration testing (or pen testing for short) is. It is common to hear the words “scans” and “pen testing” used interchangeably, but they are two very different activities. Scans, vulnerability scans, or sometimes called vulnerability assessments, are automated tests that use a database of known vulnerabilities to identify deficiencies. Penetration testers performing a pen test may run a vulnerability scan as part of the process to identify “low hanging fruit” or easily identifiable issues but should NOT solely run a vulnerability scan and call it a penetration test.
Penetration testing is generally performed to identify weaknesses or vulnerabilities in people, processes, or systems, and/or to gain unauthorized access to systems and/or data and involves exploitation of identified vulnerabilities. It is performed professionally and ethically so that issues are identified and can be corrected before they are exploited by actors with malicious intent.
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule defines penetration testing as “a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.” There are companies offering “automated pen testing,” but that is not a suitable replacement for hands-on keyboard penetration testing. Whether it’s for GLBA compliance or not, remember that automated testing can supplement, but not replace manual pen testing, due to:
- Limited context understanding
- False positives and false negatives
- Lack of creativity
- Inability to mimic human behavior
- Doesn’t explore business logic flaws
- The complexity of modern web applications
- Lack of adaptability
- Inability to assess social engineering risks
- Dependency on vulnerability databases
- Ethical considerations
What are your goals and/or objectives?
Penetration testing goals will vary, and there are likely to be both primary and secondary goals. You may be looking for a penetration testing partner to satisfy a compliance requirement such as PCI or GLBA, or to help bolster your organization’s security posture. Your cybersecurity insurance company may have instructed you to have a penetration test performed, or you may have just heavily invested in new equipment and had a network architecture overhaul. Whatever the goals are, you will need to know what type of penetration testing you will be requesting and what the scope will be. Types of testing include but aren’t limited to:
- External network penetration testing
- Internal network penetration testing
- Segmentation testing
- Authenticated (and non-authenticated) web application penetration testing
- API penetration testing
- Mobile app penetration testing
- Hardware penetration testing
- Wireless penetration testing
- Physical security penetration testing
- Social Engineering penetration testing (phishing, vishing, smishing)
Some organizations are well aware that they have existing vulnerabilities that have a very low severity and don’t pose much risk to their business model, and may state the objective should be to identify only flaws or vulnerabilities that lead to data disclosure. Or to full system compromise. Some organizations may say that getting Domain Administrator access is not a goal, but rather discovery of the organization’s source code is a main objective as it could ruin the organization if it were to be leaked publicly.
Discuss your goals and objectives for the penetration test with the prospective penetration testing company. If you aren’t sure, ask. They should be able to ask thought-provoking questions and provide insight so that the engagement provides the most value to you.
Who can you trust?
Imagine this scenario: You need a new babysitter. Are you going to hire the lowest-cost sitter and hope for the best? Not likely. You will want to know what their credentials are, what training they have had, how long they have been sitting, if they come recommended by others, whether they are just going to sit in a room with your child or go above and beyond and teach them, interact with them, plan fun activities, etc. It is no different when choosing a penetration testing partner.
There are strong opinions in the InfoSec community about certifications, which I won’t get into here, but I do believe that asking what accreditations or certifications the company or testers hold is important. While this is not an all-inclusive list, the certifications you may want to look for are:
- Offensive Security Certified Professional (OSCP)
- Offensive Security Certified Expert (OSEP)
- GIAC Certified Penetration Tester (GPEN)
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- GIAC Cloud Penetration Tester (GCPN)
- CompTIA PenTest+
- TCM Security Practical Network Penetration Tester (PNPT)
- Zero Point Certified Red Team Operator (CRTO)
- eLearnSecurity Certified Professional Penetration Tester (eCPPTv2)
- eLearnSecurity Web Application Penetration Tester (eWPT)
Evaluating the certifications held is just one way to assess the prospective company or testers. Ask about their experience and expertise. Have the penetration testers only been testing for six months or years? What type of training have they had? Do they have published blogs or tools? How engaged are they in the InfoSec community (which might show that they have their “finger on the pulse” and staying current with the latest technology, tools, and tactics)? Are they looking for emerging threats as well, by discovering zero-day vulnerabilities?
Another area that should not be overlooked when evaluating penetration testing companies is what their industry reputation is. Research what people say about the company on Google, blogs, forums, LinkedIn, and other social networks. Check with your peers or others in your industry. When you get a recommendation, ask what they liked about the penetration company and why they are recommending it.
How do you operate?
You are going to know how you and your organization operate, and you should know the same about the company that you are selecting as your penetration testing partner. Methodologies and approaches to penetration testing are going to vary from company to company, so ask what the prospective company’s approach and pen testing methodology are.
If you need a penetration test performed to meet a compliance requirement, question the company’s experience and expertise with that compliance framework. The PCI DSS is pretty specific in how penetration testing is to be performed to meet requirements 11.3 (PCI DSS 3.2.1) or 11.4 (PCI DSS 4.0). The PCI Council has also published a Penetration Testing Guidance document that goes into much more detail on how penetration testing should be performed. Whether it is for PCI, GLBA, GDPR, or HIPAA, understand whether the company can perform testing to meet the specific requirements you need to fulfill.
One size doesn’t fit all when it comes to testing. All environments are different and can often be complex. A great partner should be able to customize their offering to your requests and environment and be flexible (within reason). You should be questioning how the company collaborates with your team and what the communication is like from the sales process and beyond. Do you want to partner with a company that provides the pen test report and you never hear from them again? Or do you need a partner who walks through the results step by step, answers any questions that you and your team have, can provide mitigation assistance if necessary, and can be available for questions as they arise in the future?
The penetration testing report is the most important piece of an engagement. A poorly written report is of little use. The report should pinpoint the deficiencies identified, provide evidence of those deficiencies, highlight the good things (i.e. defenses in place) that testers observed, risks of the deficiencies or findings, mitigation suggestions, and provide detailed steps to replicate or to test that the mitigation techniques in fact worked. Ask the potential partner for a sample penetration testing report and what other types of documentation they may expect to receive following the testing.
There is a lot to consider when evaluating penetration testing companies and deciding on who you want to partner with. Below is a consolidated list of questions you may want to ask or keep in mind, whether it is an initial sales call with a pen test provider or an RFP process.
- Can you explain the difference between a vulnerability scan and a penetration test?
- What types of penetration testing do you perform?
- Describe your pen testing process and methodology.
- How much manual work vs. automation is utilized?
- What credentials, certifications, or experience will our assigned testers possess?
- Do the members of the pen testing team have a background in administrating the systems, networks, and or applications that they are testing?
- How involved are your company and testers in the InfoSec community, and how do they stay current with emerging technology, tools, and tactics?
- Describe your experience and expertise with the “XYZ” compliance framework, and what your approach to penetration testing for this framework is.
- Describe your communication and collaboration process from the beginning to the end of a partnership.
- Ask to see a sample pen test report and see if it matches your expectations.
- How many hours will be used for our testing? Or what is the cost breakdown of your estimate?
RedLens InfoSec, a Division of CampusGuard, goes beyond using automated tools to provide a customized, hands-on approach to perform pen testing with our dedicated team. We want to be your pen testing partner to help your organization meet compliance requirements and secure your business. Get started today!