Choosing the Right Pentesting TeamConsider these key attributes to make a good decision
Data breaches and multiple cyberattacks against companies of all types and sizes in the now predominant digital world continue to increase. (See information here on the previous year’s cybercriminal trends.) Many of these companies have realized the need to use security testing on their systems to determine if they are vulnerable to potential threats and carry out the required improvements ASAP. However, some companies may only be limited to complying with industry standards and consumer protection regulations such as HIPAA, PCI DSS, and GDPR. One way or another, the Penetration Testing (pentesting) solution has been gaining more value and popularity in security assessment over the years among organizations beyond government agencies and banks.
For this reason, the pentesting market has become much more extensive, with more and more pentesting vendors offering their services, making it increasingly complex to choose for companies interested in their implementation. As the professional pentester Elliot expressed at Security Boulevard last year, "Selecting a penetration testing company can be a daunting task. It’s an industry plagued with misleading sales tactics, weak certifications, and simply unqualified professionals." As a consequence, different companies and individuals involved in cybersecurity have been suggesting through their social media some tips to take into account when choosing pentesting providers.
Before going with those tips to better understand the market, let’s get a little more familiar with the concept. In the late 1960s, so-called 'tiger teams' began to emerge to test the ability of government and business systems to resist cyberattacks. Among the pioneers of penetration testing development is James P. Anderson, who in the 1970s established final testing steps for those tiger teams. However, it seems that it was only recently, in 2009, that a penetration execution standard was defined to test systems for ways to breach them and gain access to data. This rigorous approach combines manual procedures by ethical hackers and automated checks by tools, the former being predominant. In short, pentesting is a security assessment with a simulation of genuine attacks to identify vulnerabilities that cybercriminals could exploit in a particular environment.
A year ago, Charles Horton published a post for NetSPI outlining four attributes that you can consider when choosing an appropriate pentesting and vulnerability management team for your organization. Initially, he refers to the undeniable importance of having a talented group. Each of the pentesters should have the ability to view the targets through the eyes of malicious hackers. They should be agile in acquiring knowledge and improving techniques to employ according to the needs of their clients and the new complexities in their field. Of course, you should verify that it is really a team that you will link with your staff and not a single individual on whom falls all the weight and responsibility.
In relation to the talent attribute, we can see that other sources (e.g., Infosec and Intruder) also talk about certifications and experience. They recommend that you look for pentesting teams with members holding industry-recognized professional certifications such as CEH, CRTE, OSCE, OSCP, OSWE, and OSWP. Some confidence may be generated by such credentials regarding the competence of the pentesters. But beware, they should not be taken as a sufficient measure to choose a team! As Elliot says, the certifications "still fall very short of [what’s] expected of a skillful pentester. Remember that certification bodies inherently must target a large enough group of people to stay profitable." Instead, he invites you to pay close attention to companies' git repositories as well as their research and publications.
Figure 1. Photo by Shahadat Rahman on Unsplash
As a second attribute, Horton highlights the ability of the team to maintain standardized and, at the same time, customizable pentesting processes. Through standardization (as can be done, for instance, with pentest checklists), a specialized company should guarantee consistent results across different evaluation projects. As for customization, they should demonstrate that they can recognize the similarities and differences between their customers' needs and are able to adjust to them in their penetration testing.
Customization is related to flexibility, an open mindset, a quality that a pentester must possess. The analysts you choose for the assessment of your organization’s security should be curious and creative, always interested in learning new techniques and about environments in which to simulate attacks. Of course, to ensure that there is an appropriate match to your needs by the pentesters involved, keep in mind the words of Andrew at Intruder: "make sure your potential provider has relevant experience in the types of technology you’re working with."
In a third point, Horton mentions that an excellent pentesting team for your business should know how to handle and present the data obtained from the analysis. All this in a way that facilitates your staff to quickly and effectively remediate vulnerabilities. It is the pentesting force with its tools that should organize detailed reports and prioritize the findings for you, saving you some administration headaches. Following Brecht at Infosec, pentesting reports can be swamped with technical jargon, which would mean a problem. This is why the ability to communicate complexity in understandable terms for non-technical executives is highly valued. So, request, review, and compare sample reports from providers!
We can also add to the above that it is strictly necessary that the company providing the service allows establishing a documented pact of confidentiality and data security. Beforehand, there must be liability insurance from the vendor to protect your company from any damage or loss related to your systems and information assets. Additionally, you must know who will be the pentesters in charge of conducting the tests and how the data will be managed, requesting information such as names and bios.
Horton ends with an attribute that emphasizes the collaborative quality of the pentesting team. From the outset, the members of these evaluation groups should be trained to possess a collective mindset. Beyond sharing knowledge internally, collaboration is about expanding it, delivering it to others outside the corporate boundaries, and contributing to a community dedicated to cybersecurity. We can add here that the pentesting team should know how to keep constant and clear communication with your staff. They should always provide feedback on progress, difficulties, and results, along with valuable recommendations for action.
Selecting a competent penetration testing provider is not a simple task,
but it is ideal for detecting vulnerabilities in your systems and
keeping your organization healthy. If you are looking for a penetration
testing service provider for a long-term partnership, we can show you
how we at
Fluid Attacks meet all the attributes listed here and even
more. We are a company that recognizes the fundamental value of manual
analysis in pentesting, so we employ automated tools but overcome their
flaws through human hackers' efforts. We are among those who offer you
re-attacks to confirm that the vulnerabilities have been successfully
remediated. Moreover, we surpass the typical number of two or three
professionals per project, reaching an average of 15 ethical hackers!