Ask the Expert

Questions for prospective pen test consultants

As the information security officer for a financial institution, what questions should I ask prospective penetration testing consultants before I agree to the test?

    Requires Free Membership to View

While this list isn't exhaustive, here are a few that I would ask:

  • How much experience do you have in performing penetration tests? Can you provide some references of former clients? (Check the references, don't just assume they are valid.)
  • What steps do you take to ensure that your penetration testers do not maliciously destroy data on our systems should they successfully get in? Have you run background checks of any kind on your employees?
  • Will you sign an agreement not to disclose any information that you might obtain as the result of a successful penetration?
  • Describe what you will do for penetration testing. Are you doing anything more than running vulnerability scanners?

    Also, a good paper to read on this subject is, "Penetration Testing -- Is it right for you?", by Jimmy Braden, available on the SANS Institute site.


    For more info on this topic, please visit these SearchSecurity.com resources:
  • On-demand webcast: Audits, assessments and penetration tests
  • Best Web Links: Infrastructure and network security

    This was first published in December 2003

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: