When selecting a Penetration Testing Company for your IT Security program needs, there are certain things you’ll want to ensure your consulting firm has, is involved in, does and can handle.
To begin, you’ll want nationally renowned ethical hackers on the team. The team should regularly present at national and international security conferences, including: Defcon, ShmooCon, OWASP, and Black Hat.
The firm should employ a team-based approach to performing penetration tests. This ensures a wide range of skills and expertise is brought to bear when performing a penetration test.
The firm should also have forensics experts on staff and get debriefed after every incident to ensure the techniques used by the team match the attacks that are being seen in the wild.
During the test it helps if they can explain all the tools, techniques and attacks that are being utilized. This provides an excellent opportunity for you to increase your knowledge and gain a deeper understanding of the vulnerabilities discovered.
It is always good if the firm does not sell products, which enables you to get the best recommendations, which can oftentimes include free solutions. This ethically independent opinion is crucial, even with the so-called “labs” from product vendors or resellers that are seemingly separate.
The team should have developed proprietary toolsets to speed the process of a penetration test without sacrificing quality. In addition, they should create their own exploits and have a history of publishing those exploits out to the community.
They should be able to offer vulnerability and penetration testing standards and metrics development when creating a program to review Penetration Test results. Without putting data into a standardized form, it is impossible to compare multiple tests or develop meaningful trending.
If you’re really looking to separate the premium firms, ask them to map controls tested back to a framework or regulation. This not only identifies potential vulnerabilities, it looks at maturity and risk within your security program and gives executives specific controls to work on vs. the standard “there are problems” approach.