The importance of a good penetration testing partner
A good third-party penetration testing partner will guide you through the pen test process, and provide helpful reports that enable you to understand and improve your company’s security posture. The challenge for many organisations, though, is finding the right cyber security services supplier when penetration testing costs are so varied, and not only that but understanding what vulnerabilities might be found when engaging with a pen test supplier. But, first things first, how to choose a penetration testing partner?
This blog will help you understand what to look for and how to choose a penetration-testing vendor. Organisations of all shapes and sizes are grappling with the challenge of cyber security, particularly over the last 3-4 years as the number of people working remotely rose significantly. The business landscape is evolving quickly. Digitalisation has become a mainstay and companies are producing – and storing – more and more sensitive data in lots of online locations, including their own web applications, on supplier platforms, in the cloud, and beyond. This increases the ‘attack surface’, meaning attackers have more locations and sources to target when trying to access a target’s data. Our senior security consultants Alex Harper and Marcus Chambers also answer some important questions for choosing a penetration testing provider in a post-pandemic, hybrid working world.
At the same time, cyber-attacks are also becoming more sophisticated and stealthier – just look at the recent Kaseya ransomware attack. With more endpoints, more data, and more infrastructure, the potential for security vulnerabilities being inadvertently revealed or malevolently exploited is growing – and must be assessed and managed. This is where penetration testing becomes essential. Learn more in our blog on the benefits of penetration testing.
Penetration testing can be defined as a point-in-time security assessment, where a suitably skilled penetration tester uses a combination of tools and manual exploit techniques to uncover real-world security vulnerabilities in your IT infrastructure. Whereas a vulnerability scan identifies weaknesses using automated tooling, a penetration test goes much deeper. It tests exploits, using a combination of tactics and techniques, to get to grips with the security strengths and weaknesses of your systems.
Regular penetrating testing is essential to managing and mitigating cyber security risks. When carried out properly, these tests help you to improve your cyber security posture and give you the knowledge to fix security weaknesses within your systems.
Furthermore, in the case of supplier relationships, penetration tests are increasingly mandated before anything is signed on the dotted line. Likewise, well-known security standards like PCI DSS, policies within ISO 27001 ISMS and regulations such as the UK GDPR may necessitate regular penetration testing and security assessments for security assurance and resilience.
Our penetration testing solutions include several types of testing such as Mobile application testing, web application security testing, API pen testing and network infrastructure testing – for a deep overview of penetration testing and the different types, read our guide to penetration testing.
Can I carry out my own penetration tests?
In a word ‘yes,’ but there is often a very big difference between the skills and experience of an in-house tester versus those of a security consultant working for a CREST-accredited penetration testing provider. By nature, this field is highly technical and complex. The methods used involve technical know-how, up-to-date knowledge and testing experience. This can make security testing daunting for organisations to carry out internally.
For this reason, many organisations look to third-party pen testing companies because they can:
- Offer an experienced, technical penetration testing consultant who has a deep understanding of the discipline (want to learn more about what our penetration testers do on a day-to-day basis?)
- Carry out independent, industry-accredited vulnerability assessments that provide assurance to suppliers
- Perform a varied range of tests, such as internal or external, black box or white box and so on (ethical hacking)
- Use a tried and tested pen test methodology
It’s worth noting that a pen testing consultant can perform the test with or without prior knowledge of the client’s systems. When you schedule a penetration test, part of the process will involve defining the scope of the penetration testing engagement; whether the tester will be given access to your systems or given no prior information. There are different terms to describe these methodologies, known as white box, black box and grey box testing. For organisations looking to conduct a penetration test, understanding the definitions of each is essential to ensure you are meeting your objectives.
How to choose a penetration testing partner: Four steps
Step 1: Establish your needs
Before choosing a pen testing provider, you should first establish a baseline understanding of your needs, such as your testing requirements, a budget and your objectives. This is essential to ensure you procure the right provider
It’s important to remember that penetration tests are not a tick-box exercise. If a provider has an offer that is too good to be true – in terms of both time taken and cost – then you should be cautious. Quality penetration testers may be more expensive, but the value they bring will be far superior and useful for your company. Some organisations offer ‘penetration testing’ that is little more than a glorified vulnerability scan – which might be why they seem cheap.
Step 2: Find a long-term, quality supplier
Once you have defined your requirements, it’s time to start the procurement process. When shopping for suppliers, you should look for a provider you can build a long-term relationship. After all, penetration tests should be conducted at least annually, meaning you want to find a testing team you can build a solid relationship with, and who you trust.
As well as looking for a long-term partner, you also want to look for depth and breadth of expertise. As mentioned previously, there are numerous types of penetration tests. So, you want a partner who can cover all your requirements – and more – and be able to help you determine the right tests to meet your objectives and budget. You should look for a team who can add value to your cyber security strategy, who has the knowledge to help you understand the complexities of penetration testing and can bolster your cyber security posture.
Step 3: Validate their credentials and reputation
You should only consider working with a company if they have trusted external accreditations. CREST is a well-known, high-standard accreditation in the penetration testing arena.
Using a CREST penetration service, like Evalian, to carry out penetration testing means that the quality and the technical capability and skills of the consultants you have access to are of an internationally recognised high standard. It also ensures you are being provided with professional solutions that are highly skilled, knowledgeable, and competent.
It may also be worth carrying out research on your potential pen test partners to look for evidence of their reputation and experience. For example, you could look for: client testimonials and reviews; reports, research, and thought leadership about penetration testing; further security accreditations and qualifications.
Step 4: Engage and clarify
Once you have one – or a few – suppliers you think could work for you, it’s time to engage. Before formalising the relationship, it’s worth asking the following questions, to establish that the supplier is the right fit:
- What’s your methodology for penetration tests? Ask this question to gain an understanding of the provider’s knowledge and expertise. They should be able to explain the different kinds of tests to you, as well as offer tailored advice that links to your specific objectives and issues.
- Can I see a sample report? It’s helpful to review penetration testing reports beforehand, to ensure that the tests are fit for purpose. You should look for reports that are concise, easy to understand and give actionable advice for the vulnerabilities discovered.
- What happens after a test? A good testing organisation should provide you with remediation guidance in their report and be available for a wash-up call with you to discuss their results, recommendations and remediation.
- Do you provide a free retest? It is common for testing organisations to offer to retest vulnerabilities after they have been remediated to provide assurance that the issue has been fully corrected. Different testing organisations have different policies for free retests, so remember to ask for details.
Once you’re happy with these answers, it’s time to finalise your choice, and then agree and define the scope of work and objectives.
Want to ask us about penetration testing?
If your organisation needs help running a pen test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact our friendly team to discuss your requirements.