How to choose the right penetration testing vendor

Choosing the right penetration testing (pentest) vendor is one of key success factor for pentest implementation. There are many consideration when choosing the right vendor your corporate. Usually the common question about this question are:

1. Vendor reputation vs. vendor ability?
This question is just the same as basic question about what we need vs what we want. Dealing with reputable vendor e.g. from big four or large it consulting company would be very nice for company portfolio. We can display the result of test to board management or even to internal that assessment already running.

Compare to choose the small unknown vendor, who actually work as underground hacker, maybe will deliver better result. But since nobody knows the vendor sometimes the result is could not be accepted by everyone

2. How deep and how far?
Usually pentest only performed by 2-3 week and the pentester is testing the environment from inside and outside the corporate network. However there is no exact limit how deep and how far we could perform pentest. The good pentest vendor always offer best alternative pentest strategy. Not only their ability but how they could deliver the result in short time of project.

3. Who will close the finding?
Result from pentest should be a finding list in every IT infrastructure or process. Many firm could found large leakage in information system security but few that could give good solution for the problem. As you should know, the vendor who perform the pentest and the vendor who close the finding should be different to prevent good segregation of duties.

4. Network guy or audit specialist?
There are two type of pentester in security world, the first is come from network background. Most of networking company e.g. Cisco, 3COM or Datacraft has this kind of person. Usually the person from this background has CISSP or CCNA certification. And the others type of pentester is guys from audit area, this person usually has CISA (Certified Information System Auditor) or CISM background.

You should be aware when your pentest vendor offer this type person for your pentest project. The best choice is using both of person from network specialist and audit specialist. Both of combination of this skill will be deliver best result for the testing.

5. Penetration Testing as routine event
To maintain good information security governance, penetration testing should be routine performed. Once a year or once in two year. And also for this governance purpose. The vendor should be changed every period, e.g after 3 times, than the company should change the vendor. Changing new vendor will be good to see others area that not could be see by previous vendor.

Any question about this choosing strategy?

Anjar Priandoyo, CISA