A common question is: Why should get a third party penetration testing company? Why not choose a team from your current technical group to handle the network security test? For one, security audits like traditional financial audits are better done by companies (read outsiders) with no bias and partiality to anyone or anything within your organization. That is the only way to make sure that you have fresh eyeballs that would objectively look at the systems you have. Another reason to hire a network security company is that there is a scarcity of experts in penetration testing to thoroughly test your systems. What is more, keeping these experts on your team can be very costly for your organization.
# Tip 1: Evaluate Technology Competence of Vendors
There are many companies for whom penetration testing is not a core offering but just a value added service. They use open source tools and scripts without having real core competency on the subject and the technology. Good indicators of vendor’s technology competency are:
- Does the vendor have proprietary tools and technology?
- Is the vendor known and respected in security research community?
- Has the vendor published original technology research in the Penetration Testing or Vulnerability Research domain?
- Is the vendor involved in vulnerability disclosures in known applications?
# Tip 2: Focus on the vendor’s real knowledge and not just on certifications
If you focus too much on individual certification, you will end up
Who will be your next Pentesting company?
eliminating many good top-notch penetration testers. As an industry, penetration testing has not reached consensus on a meaningful certification framework. So, while large companies encourage individuals to get certifications, this over-emphasis is one the reasons why strong penetration testers are attracted to specialized penetration testing company like iViZ because they place value on individual skills over industry certifications.
Tip# 3: Evaluate the company’s trustworthiness and competence
You would be allowing them access to your system, customer information, sensitive company research, insider memoranda and other confidential matters. You will also let them into the backbone of your company’s operations. You would need to be sure that they can be trusted with the data you have. You can look at their previous list of clients and their overall reputation. Talk to competitors and friends alike and ask for recommendations on which penetration testing company to consider and call. More importantly talk to your potential vendor and ask a lot of questions. These might be hypothetical or real questions regarding their systems. You can gauge their level of competence through their responses
Tip# 4: Consider cost versus frequency maximum leverage
Gartner recommends “Penetration Testing carried our regularly is the only way to be one step ahead of hackers”. However with the conventional manual approach this is too costly. Different testing companies levy different fees on their security audits. It is best for you to lay down what kind of penetration testing you need and get quotes from specific companies. Organizations without scalable technology to provide recurrent scanning are normally 30-40 times more costly than organization that do have a similar feature. Imagine the benefits of doing a single test in the entire year at $30000 over 12 tests in 12 months at $20000!
Tip# 5: Seek penetration testers (Specialists) and not Generalists
There are many penetration testing companies who can be impressive in discussing attack vectors, the associated impacts, root causes, and remediation. They may also have their favorite case studies and illustrate each type of vulnerability in common speak. But they may not have the real expertise in front of the keyboard. The simple question which may help you to identify them is: “How specialized is the penetration testing company? Do they deliver this particular service 30% of the time or 60% or 100%?” Good penetration testers are a rare breed. When it comes to testing your network or application, you need a great penetration tester and not a great boutique firm!
{ 1 trackback }
{ 1 comment… read it below or add one }
Very nice post….. In this competitive edge you need best security and safety solutions for your valuable data and in the market there are so many companies providing security services but you need the best Network Security Solutions and Information Security Assessment
Thanks