How to choose penetration testing vendor
After you or your company makes the decision to use a penetration testing vendor, the next step is to choose the appropriate vendor. The factors you should consider are as follows:
- Confirm liability insurance —Make sure the company provides adequate liability insurance in the event of unapproved damaging consequences of testing.
- Ask for references —The company might have previous clients that you can talk to. Many customers do not want their name given as a customer for privacy reasons, but some companies are willing to discuss their experience with penetration testing vendors.
- Perform background checks —The company should either provide you with documentation on criminal background checks of employees, or you should perform your own background check on their employees.
- Ask for sample reports —These should not be actual reports. If they are, who is to say that the vendor will not use your report as an example for another potential client? Avoid doing business with vendors who provide you with real reports. These sample reports should be generic reports without a reference to company identities, IP addresses, or host names.
- Assess the professionalism of the team —The sales team for the testing vendor should not use intimidation as a means to obtain business. They should not use scare tactics to convince you of your need to use their services. They should maintain professionalism at all times.
- Determine the scope of your testing —Make sure your vendor is skilled to test every component. If not, either consider another vendor or look into using multiple vendors.
- Confirm whether the vendor hires former black-hat hackers —Some vendors advertise that they hire former black-hat hackers for their testing team. However, it is best to avoid testing firms that advertise hired hackers because you cannot be sure the hacker is going to be completely ethical in his behavior.
- Avoid hiring firms that offer to perform hacking for "free" —Some firms offer to attempt to hack and obtain "trophies" to show their skill. This is usually a sign of desperation on behalf of the company.
- Determine whether the firm is knowledgeable of industry regulations —For example, if you are a health care organization, confirm that the vendor is familiar with HIPAA requirements.
- Confirm how long the firm has been performing penetration tests —You should use firms that have experience performing tests.
- Confirm whether penetration testing is the primary business for the vendor or just a service that it offers —Some smaller integration companies perform penetration testing as one of many services. Although this is not bad in itself, you should research how much investment they have made into developing their service offering.
- Identify what security certifications the testers hold —Common security certifications include CCIE: Security, CEH, CISSP, CCSP, GIAC, OPSTA, and Security+.
- Determine whether the vendor will provide you with the IP addresses of their testing machines —If it is a black-box test, you might be given only a domain name to start with.
- Define a clear cut-off time when the testing is to end —Times can vary, but typical penetration tests can last anywhere from two weeks to two months.
- Confirm whether the vendor will provide you with logs, screen shots, and other relevant raw data —The vendor should be able to validate its findings through necessary documentation.
- Ask the penetration testing firm what tools and methodologies are used —Does the firm use scanning tools only (for example, Nessus, Saint, Sara, Satan, ISS, eEye, NetRecon, and others)? Or does it use a toolkit of many tools designed for a variety of operating systems? Make sure that the firm takes a methodical approach to its testing, such as using the Open-Source Security Testing Methodology Manual (OSSTMM) or another internal approach.
- Consider whether you want to use multiple vendors or a single vendor —Most companies like to rotate between two or more firms.
- Meet the penetration testers themselves and not just the sales team —You want to ensure that the sales team does not oversell you and make promises or claims that are unrealistic. Interviewing the penetration testers can help you get a feel for their technical expertise. You should inquire into their experience and exposure to penetration testing. Their certifications can also help gauge their base level of knowledge.
[Penetration Testing and Network Defense 2005. Andrew Whitaker, Daniel P. Newman]