How to Select the Right Third-Party Pen Testing Service
As both cybersecurity breaches and compliance mandates increase, third-party pen testing services are no longer seen as optional. These teams specialize in ethical hacking that gives organizations insight into possible security weaknesses and attack vectors in their IT environment. Being in such high demand, more and more testing services are emerging, presenting businesses with a new challenge of selecting which service to use. How do you know which one is right for you? Before you decide on a partner, it’s important to ask the right questions—both of your organization and its needs, and of the service provider’s processes, capabilities, reputation, and experience.
What Kind of Assessment Do You Need?
Each pen testing service is different, with varying expertise and specialties. Before you decide on a firm, it’s important to have an idea of what you want out of a pen test. For example, you’ll need to decide on the scope of work and what area of the infrastructure you want assessed, like your network, web applications, or different devices. You also need to think about the project type, determining whether you’re looking for a more focused penetration test that will uncover and exploit weaknesses, or a more comprehensive teaming exercise aimed at training a defense team by simulating an attack scenario. All the items you’ll want to discuss with potential security consulting services include:
- Scope of work: network assets, applications, and/or devices
- Objective
- Project type: Red team, penetration test, application security assessment
- Testing techniques: black box, gray box, white box
- Testing approach: static analysis, dynamic analysis
- Testing environment: production, UAT, staging, single-tenant, multi-tenant
- Methodology
- Results
By having an idea of what your requirements are, you’ll be able to ensure that you’re in alignment with the pen testing service you choose. There is a lot of variety between different teams when it comes to how they approach testing and even how they define certain terms. When having discussions with different service organizations, make sure you have an understanding of their methodology. The only way to ensure a successful partnership is to make sure you both are on the same page.
Does the Pen Testing Team Have the Necessary Skillsets?
Not all pen testing teams are created equally. Many focus on basic, routine tests that are performed with a pen testing tool, packaging it as a custom service. However, such tools can be used by your own security team, so it’s important to find a partner with experts that can tailor their tests for your needs and goals, and even advise you on the different testing options.
There are many ways to evaluate skillsets. Many testers have degrees in computer science or engineering. There are also industry specific certifications that demonstrate advanced knowledge and skills. Some of the most important ones include: Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), and Offensive Security Certified Expert (OSCE). You’ll also want a team that keeps their skills and certifications up to date with continuing education and training. Inquire if the team members are given time to conduct independent research of new techniques, or if they attend industry leading training and conferences.
Is the Pen Testing Team Experienced?
Testing teams are usually made up of two or three practitioners working together. In most cases, a senior consultant will lead the effort and be your primary contact. You typically want a senior consultant to have at least five years of experience, solid technical skills (ideally holding at least one industry certification), and the ability to deal with changing test conditions. This level of experience enables them to deal with multiple types of environments and be able to identify threats in a very limited timeframe.
As for the other members of the team, it’s worth discussing where their expertise lies. Experience within the cybersecurity industry can be extremely broad. Some testers come directly from either university while others have spent time in another area of IT or cybersecurity. Having a team with experience in different areas, such as network infrastructure, software development, auditing and assessment can be particularly useful.
Does the Pen Testing Team Have Defined Processes?
One of the best ways to determine the quality of a third-party service is by the quality of their procedures. Pen testing can’t be completed on a whim by unknown parties without a plan in place. During the pen testing process, these firms have access to sensitive information and a careless operation could leave your environment more insecure than when they started with incomplete cleanup. It’s vital to know exactly who will be conducting these tests. You’ll want to know how a firm decides who to hire, as well as the names and bios of potential testers. Once you know who will be doing the testing, you’ll want to know how they’ll go about it. Any firm you consider should provide a proposal that details:
- Scoping
- Project methodology
- Team selection
- Rules of engagement
- Reporting
- Handling of PII data management
- Escalation
Reporting is a particularly important piece of pen testing, and can determine how beneficial a test is long term. The report needs to not only include a thorough presentation of the results, it needs to provide clarity about how your security team can move forward with remediation. This includes providing reproductions steps, tools and techniques used in the project, and a list that prioritizes the most urgent concerns. Comparing sample reports can show the differences in structure and potential details provided. Looking at other work that the team has done more comprehensively demonstrates the quality of their write-ups. For example, advisories authored by specific team members show their expertise and value of their delivers, as well as illustrating their reporting process.
The Importance of Choosing the Right Pen Testing Team
Most commonly, third-party pen testing team are sought after to validate industry standards and regulatory requirements, including GDPR, HIPAA, SEC, and CMMC. However, a talented third-party team is helpful for multiple reasons, taking a proactive approach to security before an organization suffers a devastating breach. Ultimately, choosing the right pen testing team can provide new insights to bolster your security, providing a safe and secure outside opinion that can provide a fresh perspective.
About Core Security Pen Testing Services Offering
Core Security, a Fortra Company, has been providing expert level services and researching vulnerabilities for more than 20 years.