Re: Choosing an Independent Penetration Testing Firm

[Anders Thulin <anders.thulin () sentor se>]

On 2013-02-07 02:31, Remi Broemeling wrote:

> Does anyone on here have any specific recommendations on what to look
> for when choosing an independent penetration testing firm?

It usually takes one to know one.  But as always, asking for references for
comparable jobs and evaluating them is often a good thing to do.

Reporting is the most important part of the job: if you get a report you
can't use or don't understand,or doesn't cover what you need it to cover,
the job will be largely wasted. Ask for a sample, and discuss it with them. You
need to think things through: what *do* you need the report for?  Do you need
one or more reports -- in some environments knowledge about vulnerabilities
must be kept compartmentalized. You may need a different structure than the sample,
and the tester should not have any problems with that.  (If they do, they may be
relying on pre-canned functionality, which may not be a good sign.)

The company should be able to explain what they mean by a penetration test.
Some just do vulnerability scans without actual penetration attempts, others
include things like denial-of-service attacks, social engineering, physical
intrusion etc. in the term.

The company should ask for systems that require special considerations: systems
that must not be upset by the tests. (Doing pen-test on a live environment
during an important demo for a customer or investor, for example, is a no-no.)
Some tests might be advisable to do at certain dates or certain times, when
system admins can be watching. If they don't ask you, ask them.

Also ask them about confidentiality agreements, damage insurance, certifications,
methodology, tools, vulnerability classifications.  Not all are relevant, and you
may not care about the actual reply, but you do want to know how they reply.

You may also ask them for recommended action: how do they like *you* to work
with the result.  Some companies stop at mitigating action, such as removing some
services, and reconfiguring others, while others would prefer you to identify and
correct any errors in procedures or routines that contributed to any vulnerability
found.  If one vulnerability is due to sloppy change management, just correcting
the vulnerability doesn't really address the root cause of it.

If you have any 'friend companies', benchmarking partners, etc. who have done
pen tests, check with them for experiences and recommendations.

-- 
Anders Thulin      070-757 36 10 / Intl. +46 70 757 36 10

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature