Ask the Expert

How to select a penetration tester

What are some criteria for selecting penetration testers?

    Requires Free Membership to View

The objective of penetration testing is to not only evaluate the security of a computer system or network, but also to determine the feasibility and business impact of a successful attack. The test simulates an attacker that is looking to exploit potential vulnerabilities in your organization's systems. Any security issues found are then reported, along with an assessment of their potential impact. Advice is also given on how to mitigate the problem. The tests are normally carried out before a system or application goes live. The tests are then repeated on a regular basis.

Before selecting a penetration tester, or pen tester, determine exactly which systems you want to test. An expert that tests Unix-based systems is not necessarily also going to be an expert with Windows systems, for example. Once you've decided what to test, I would seek references from colleagues at other companies who have contracted similar work. I prefer this approach rather than relying on pen testing certificates, since there isn't really an industry standard in this field yet.

I wouldn't always just concentrate on the big name consultancies either. These consultants tend to be generalists, and penetration testing is the job of a specialist. Whoever you use, make sure that you are not left with a trainee once the contract has been signed.

It's also wise to inquire about a potential pen tester's favored methodology. The best way to perform penetration testing is to carry out a methodical and repeatable series of tests, working through many different types of vulnerabilities to avoid an inefficient scattergun approach. Be wary, though, of a checklist approach or an over-reliance on automated tools. This style results in more of a vulnerability scan than a full penetration test. Penetration testing is not an exact science so check that the tester has the flexibility to follow up on any areas of concern and pursue the path of least resistance. This way, the test can focus on attack vectors specific to your environment.

Once you have decided who will do the testing, make sure that they have time to complete a thorough evaluation. A tight time constraint may force a tester to skip certain avenues of concern. It is important that they keep you informed of any findings and that the final report details the tests completed, key discoveries and recommendations. Remember that the report is what you are paying for, and you will want time to discuss it with the tester. If you don't take the time up front to properly select your tester, not only will you waste a significant amount of money, but the report you receive may also give an organization a misleading, false sense of security.

More information:

  • Panelists at the Gartner IT Security Summit said companies should shoulder some of the responsibility for penetration testing. Learn why.
  • See which wireless security assessment tools are commercially available.
  • This was first published in July 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: