Pentesting Part 4: Considerations for Choosing a Pentester

In this pentesting series we have discussed the basic principles and ideas behind pentesting, how those principles can be applied to a home network for better security, and why businesses (particularly small businesses) should conduct pentests. This is the concluding post in our pentesting series. Hopefully, you have learned why you should do pentesting.

Get Your Money’s Worth

Just as with any other service you pay for in your everyday life, pentesting providers are not all equally skilled or trustworthy. Penetration testing is expensive. If you’re going to spend the money to have a pentest done on your environment then you’re going to want to have the best pentesting provider your money can buy. Below we have outlined 5 considerations for choosing a pentesting provider.

  1. Formal Methodology
    One indicator that you are dealing with an experienced and skilled pentesting provider is that they have a plan of attack. Ask them questions about how they actually perform the pentest. What is their formal methodology? Do they even have one? Less experienced pentesting providers may give you answers such as “I just attack the system until I find an opening” or something to that effect, essentially they are telling you they don’t have a plan. Stay away from providers who can’t give you a clear answer about their methods. Their method is not as important as them actually having one (as long as it isn’t solely automated scanning).
  2. High Ratio of Manual Testing
    When you ask about their methodology, pay attention to how they do their testing. Do they do mostly automated scans? Or do they find most vulnerabilities in a network by manually attacking it? As we stated in our introduction to this series, pentesting is a manual process where a human attacks a system. A skilled pentester will be able to think critically, outside the box, and find vulnerabilities an automated scan would miss. If the pentesting provider tells you that they mostly do scans, you might consider looking for another provider. Automated scans are a tool, and do not in themselves encompass a pentest. You will want to hire a provider who has a high manual testing ratio over one who doesn’t.
  3. Communication
    Communication will be key before, during, and after the pentest is performed. The pentesting process will not be one without heartache and stress; after all you will be allowing a third party to deliberately break into your system and exploit it. There is definitely going to be heartache and stress. However, working with a provider with whom you can effectively communicate with and who can effectively communicate with you will make the pentesting process less painful than it has to be.
  4. Sample Report
    Ask for a sample report. A sample report will tell you even more about how they communicate. Avoid providers who use canned responses or ones who display pages of meaningless jargon throughout the report. You will want to go with someone who will provide you with a customized report with the information that is relevant to your specific company and your company’s needs.
  5. References
    Let’s say you move to a new city and suddenly experience car trouble. One of the first things you might do is ask a friend, co-worker, or someone you trust if they could recommend a mechanic. Their recommendation would mean more than an ad in the newspaper. One of the first things to ask for when meeting with a pentesting provider is a list of references. If they don’t have references, then speak to someone else who does. Companies who have worked with a particular provider will be able to tell you about their experience.

Final Thoughts

This is not an exhaustive list and many items could be added, but it will help you get started with weeding through the providers who are just in the business to make an easy buck. And remember, as with any business venture, make sure at the end of the day you trust the provider you have chosen. If you aren’t comfortable with them, then don’t go with them. Shop around and find the best provider for your company.

Below are the the previous posts in our pentesting series:

Pentesting Part 1: Introduction to Penetration Testing
Pentesting Part 2: Adopting a Pentester’s Mindset
Pentesting Part 3: It Could Happen to You