PENETRATIONTEST PROVIDER , HOW DO YOU MAKE THE RIGHT CHOICE?
IT security is more important than ever in today’s digital age. In order to guarantee this security, comprehensive technical expertise is indispensable, especially as a penetration test provider.
The demand for IT security experts is increasing continuously. More and more companies are looking for support from penetration test providers in order to have their IT checked with a penetration test and to better protect their company through IT security consulting. However, due to the high density of offers, it is difficult to make a selection of the right provider. Many companies therefore have a complicated selection process.
How can you make the right decision? How do qualified and unqualified providers differ?
PENETRATION TESTING CERTIFICATIONS AND STANDARDS
What I am looking in a peneteration test provider
1. Reputation and Experience
The reputation of the service provider is an important aspect that should be considered. You should place a special focus on the quality, trustworthiness, independence and technical expertise of the providers.
Quality is reflected in certificates, detailed blog entries and reports in trade magazines or customer experiences.
Trustworthiness is of course another important factor, as the contracted service provider is guaranteed access to your sensitive company data. Here the values, philosophy and sympathy should match.
Independence is essential, because the sale of hardware and software solutions should not be the focus. At best, the pentest provider acts as an objective appraiser and independent advisor.
Indicators of technical expertise and good competence are experience (it takes time and constant training to build up a great deal of expertise in the field of IT security) and research and further development at the service providers in your own company (the provider should always be up to date Be aware of the status of security gaps and weak points and continuously develop in order to be able to advise you extensively. An outdated status can have fatal consequences).
2. Advice
Advice to the company from the potential penetration test provider is the cornerstone of a good cooperation. You should make sure that your needs and expectations are catered for, as every company needs to be viewed in a differentiated manner and depends on individual protection. Your corresponding penetration test should be structured just as individually. A good tip for a professional pentest provider is therefore that in the offer process many questions are asked about the infrastructure to be tested in order to be able to coordinate the type and scope of the test as precisely as possible .
In the offer situation, ask how the pentest provider carries out the analysis. There are very different approaches where the risk involved in collecting data is very different. As is so often the case, there is no right or wrong here – but the process should meet your needs and expectations.
- How aggressively should the penetration test provider conduct the analysis?
- How transparent should it be?
- How much information would you like to give him in advance and what information should he get himself?
- What information and results do you get in the end?
3. Organisation
Every penetration test provider should follow a clearly structured process for their pentest in order to avoid irritation and to deliver the maximum test results. The procedure of the penetration test is the framework of the project.
Information about the contact person, the timing, the coordination dates, the test period and the completion of the project should be clearly communicated so that you are always up to date and not restricted in your day-to-day business.
4. Effort and implementation format of the penetration test
An appropriate pentest is always based on the function of the infrastructure to be tested. If you have a low functionality server, the test will likely run very quickly. If you have 100 servers, the test will take longer. The effort for the test should therefore relate to the infrastructure.
The implementation format and the clearly defined methodology reflect the quality of the penetration test – here, attention should be paid to the implementation. An automated penetration test will not meet your individual needs, as it can only act superficially. These security assessments convey a false sense of security and hide additional risks.
A manual pentest, on the other hand, can be optimally adapted to your individual protection needs and results in you receiving comprehensive results.
To round off a penetration test, the “human” risk should not be disregarded by the penetration test provider. Find out whether the topic of social engineering is also covered, as this is often neglected. In addition, you can improve the user awareness of your employees through IT security training .
5. Documentation
Documentation is at the heart of a penetration test. In this report, all security risks and vulnerabilities should be recorded extensively and thoroughly.
You should pay attention to the format in which these are transmitted. There should be different versions for management, IT with recommendations for action and a comprehensive presentation. This ensures that you are actually dealing with IT security experts. Only those who understand their craft can convey this in an understandable way.
CONCLUSION
The search for the right penetration test provider is complicated and extensive. With these 5 tips we would like to help you make an informed decision.
With these tips you can put potential pentest providers through their paces, even without technical expertise.
