Don't Just Scan, Test: Choosing the Right Penetration Testing Partner
In today's digital landscape, ensuring your organization's security is no longer a luxury – it's a necessity. Recent security concerns are pushing businesses to revamp their security practices and take a closer look at potential vulnerabilities. If your organization, like the SMB with e-commerce websites mentioned in our sources, is realizing that areas like your websites might not be getting the same scrutiny as your servers and networks, then penetration testing should be on your radar.
However, not all penetration tests are created equal. It's crucial to understand that you're buying a genuine penetration test and not just a vulnerability scan presented in a fancy report. To truly check your corners and strengthen your defenses, you need to choose the right penetration testing partner. Here are some key considerations, drawing from the experiences and advice shared by cybersecurity professionals:
Ask the Right Questions to Identify a Quality Pen Tester:
When you have those initial calls with potential penetration testing companies, go beyond the sales pitch and delve into their technical capabilities and approach. Here are some crucial questions to ask:
- "Can you walk me through your penetration testing methodology?". A reputable company should have a clear methodology, potentially referencing industry standards like the OWASP Top Ten for web applications. However, be wary of vendors who only mention the OWASP Top Ten, as this isn't an exhaustive list of vulnerabilities. Ideally, their methodology should form a baseline for a more tailored and manual approach.
- "Do you perform manual testing, or primarily rely on automated vulnerability scans?". While automated tools have their place, a quality penetration test involves significant manual testing by experienced professionals. Be suspicious of very low prices, as they often indicate a lack of manual effort. A good report should demonstrate a thorough manual review by someone knowledgeable in network and application penetration testing.
- "Can you provide a de-identified sample penetration test report?". Reviewing a sample report will give you a sense of their testing depth, methodology, the clarity of their findings, and how they package their outputs. Look for evidence of exploitation, a detailed methodology, and creative impact demonstrations, not just a list of vulnerabilities. The report should include both an executive summary and technical details, complete with Proof of Concept (POC) for each finding.
- "How do you determine the scope of the penetration test?". The vendor should ask intelligent questions about your applications, environment, user model, key integrations, and technology stack to accurately estimate the effort and identify any need for specialized expertise. Consider doing some threat modeling internally to help define your testing scope based on your specific concerns.
- "What kind of narrative do you provide in your report?". Insist on a narrative that explains how the testers went about their attacks and why. A good report won't just list vulnerabilities but will explain the steps taken and the reasoning behind them.
- "Do you offer any post-consultancy services, such as re-testing or verification of fixes?". It's valuable to have the pen testing firm re-validate your fixes to ensure the vulnerabilities have been properly addressed. Negotiate the terms for revalidation upfront.
- "What are the qualifications and experience levels of your penetration testers? Are they permanent employees or contractors?". Understanding the team's composition can give you insights into the company's commitment to quality and staff training. While certifications aren't everything, they can be a starting point. Some prefer testers with certifications like OSCP over CEH.
- "Can you provide references from other clients?". Speaking with their previous customers can provide valuable insights into their service quality and reliability.
Beyond Compliance: Aim for Real Security Improvement
While penetration testing is often required for compliance with standards like PCI DSS, remember that the primary goal should be to improve your security posture. The best penetration testing vendors will seek to understand your business and operations before diving into the technical aspects. They should act as a partner in strengthening your defenses, not just someone who checks a box for an audit.
Consider Different Levels of Offensive Security:
As your security maturity grows, you might also consider other offensive security services:
- Red Team Assessments: These are more in-depth and often longer-term engagements that simulate real-world attacks to test your organization's overall security readiness. A red team comprises offensive security experts who attempt to breach your defenses.
- Blue Team: The blue team is responsible for defending against and responding to attacks, whether real or simulated (like those from a red team).
- Purple Team Assessments: These exercises involve collaboration between the red and blue teams, with the goal of improving the blue team's detection and response capabilities in real-time.
- Adversary Simulation: This technique replicates the tactics, techniques, and procedures (TTPs) of known threat actors to evaluate your defenses against specific threats.
In Conclusion:
Investing in penetration testing is a proactive step towards securing your organization. However, the value you receive will heavily depend on the vendor you choose. By asking insightful questions, understanding their methodology, and looking beyond basic vulnerability scans, you can find a partner who will truly help you identify weaknesses, improve your defenses, and adapt to the ever-evolving threat landscape. Don't just scan – invest in a thorough test that provides actionable insights and strengthens your overall security.
