How to Identify a Qualified Penetration Tester

Choosing a vendor for penetration testing can be a daunting task. An online search for penetration testing will hit you with advertisements from many well-known security brands out there. It’s no secret that these security companies pay big bucks to show their ads when you search, and generally that cost is passed on to their customers. It’s not uncommon for potential customers to experience sticker shock when it comes to pen-testing, and they may wonder if they are really getting what they pay for.

It’s sad that some companies feel a sense of security in high-cost testing, imagining that if they pay more they’ll get higher quality service. And to an extent that thinking isn’t surprising. On one hand, you want your test to be done properly and with a high level of expertise. On the other hand, you don’t want to be ripped off, paying an excessive price for questionable work. So how can you weed out the poor value options and find a qualified vendor at a reasonable cost?

Questions to ask when looking for a qualified penetration testing vendor:

What certifications does this potential pen-tester hold?

This is an important question. While it’s true that merely holding a cert doesn’t make someone a good pen-tester. It is a good place to start to see how serious a vendor is about educating employees and keeping up-to-date with current techniques and standards. Many auditors and customers will want to see that pen-tests are performed by individuals that hold at least one of the common penetration testing certifications available. Some of these certifications include:

  • Offensive Security Certified Professional (OSCP)
  • Certified Ethical Hacker (CEH)
  • GIAC Certified Penetration Tester (GPEN)

As a note of caution regarding pen-testing certifications, each credential is not equal in value. For instance, the Certified Ethical Hacker certification is sometimes dismissed by security experts as having little value. Rather than demonstrating real-world hacking skills, some certifications just show that a person can pass a multiple-choice test.

In our opinion at Backbone Security, the Offensive Security Certified Professional credential should be considered the gold standard for pen-testers. Attaining this certification requires an understanding of sophisticated tasks along with employing real-world hacking skills during a 24 hour test. To make the difference between certain certifications more clear, consider an example. An OSCP will have demonstrated that they can write and deploy a custom buffer overflow exploit. A CEH might have picked “buffer overflow” as the right answer on a multiple-choice exam.

With that said, Backbone Security requires their penetration testers to hold, at a minimum, the OSCP credential.

What is this penetration tester’s past experience?

Would you be excited if you heard that you are a surgeon’s first real patient? Even if he or she came from the best medical school, such a lack of experience will likely leave you with some major doubt. In the same way, certifications alone don’t mean a penetration tester is qualified. So, a review of a tester’s past experience is advised.

Here’s a few things that will help you assess a penetration tester’s competency:

  • How many years has he or she been professionally pen-testing?
  • Has the tester been used in assessments of a similar size and scope to your environment?

Can the penetration tester provide references?

Anyone with a reasonable amount of experience should be able to provide references of satisfied past customers. Ideal references will include customers that are similar to your scope and industry. Obviously, if you are a large financial organization shopping for the best vendor, it wouldn’t make sense to accept a reference for the test against a small taco stand. And then make sure to check the provided references. Find out what they liked about a penetration testing vendor. You might consider asking questions like these:

  • How long did the penetration test take to complete?
  • How would you rate the tester’s communication throughout the entire process?
  • Were they willing to provide reporting and documents customized for your needs?

Is this price too good to be true?

A final question you’ll want to consider is whether or not the pricing makes sense. As mentioned earlier, some vendors are vastly more expensive than others. But what about when the penetration testing cost seems too low? In many cases, ultra low cost penetration testing is simply bait-and-switch. Instead of getting penetration testing by a competent security expert, some vendors just run automated vulnerability scans and call it pen-testing. Don’t expect this to pass muster with auditors or your customers. In some cases, these so-called pen-tests might squeak by, but you run the risk of spending the first time and then having to pay again to get it done properly by someone qualified.

A penetration test usually takes many hours and even days or weeks to complete. Let’s quickly do a sanity check. Does it make sense that an ultra low-cost penetration test would cover the hourly pay for a certified security expert? Not likely. With that in mind, there is a sweet spot for penetration testing – a blend of expert level penetration testing at a cost that makes sense.

Feel free to chat with us or call to see how we can provide the level of penetration testing you need.