Penetration testing provides much needed security information for enterprises, but it can blur the line between ethical and illegal hacking.
With the proliferation of boutique firms and leading security vendors offering ethical hacking services, security managers find themselves faced with the increasingly difficult task of selecting the right vendor for their company. By using the methodology provided here, a common criteria or baseline to grade multiple vendors can be developed. In essence, these recommendations should help the vendor selection process.
First, every company or business unit has its own set of unique requirements. Keep in mind key vendor attributes such as customer relationships, stability, methodology, reputation, location, code of ethics and expertise.
Then ask the following:
- Has this vendor ever provided any services to your firm? Contact your procurement department to see if it's listed on your company's preferred vendor list. If it is, then talk to business units that have engaged it.
- Is ethical hacking the primary source of income for this firm? If it's a publicly traded company, review its SEC filings report to ascertain financial stability. If available, obtain analyst reports on the company from groups like Gartner or IDC. Select a vendor that has a range of services in its portfolio. Having a broad spectrum of services helps it weather the storm in a weak economy.
- What is the vendor's
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
- testing methodology? Ask the vendor to explain this crucial component to you. Most will be glad to do this, provided you sign a nondisclosure agreement. Having a sound testing methodology ensures that quality work can be performed repeatedly with consistent results.
- How do you determine reputation? Well, you can always rely on word of mouth. You could also check Web sites for white papers, free security assessment tools, etc. If the firm is a market leader, then trust its salesperson to tout its accomplishments. Request work references and client contact information, if possible.
- What is the strength of its local practice? You pay more if the vendor has to bring in consultants from other parts of the country.
- Do the practitioners subscribe to a recognized code of ethics, either one established by the company itself or by a professional body?
- Does the staff have experience with a wide range of industry-recognized pen-testing tools? Consider both freeware and commercial products. The environment dictates the expertise required; verify that the company is proficient in the technology you use.
Form a workgroup to develop a list of questions to assess vendor competence and obtain the necessary buy-in from other business units. It will also help in promoting awareness of the process within the business community and negate any future criticism, such as vendor bias. Develop a weighted matrix and review only vendors that meet the pre-determined threshold.
Start by creating sections highlighting key areas of concern. Assign a maximum number of points per section. If all the questions within a section aren't equally important, break it down further by assigning points per question within a section.
One possibility is a sliding scale, referred to here as the "Confidence Index." The Confidence Index represents degree of confidence in a vendor. By creating a workgroup, the value assigned to a vendor for a particular question is no longer an individual opinion but a collective judgment or common perception of a group of people. The weighted value is obtained by multiplying the points assigned to question times the value obtained on the Confidence Index.
Perform the same steps for all sections and then total up the overall value obtained by each vendor. In the above scenario, vendor C is the best since it has obtained 240 points out of a maximum of 350. If you decide upon a threshold of 150, then vendor A and B won't be selected.
This method of assessment brings everyone within the company on board, providing a vendor-neutral common criterion and a fair degree of precision and meaning to the selection process. The bottom line is that it creates a win-win situation for everyone, including the vendor, since it gives the company the ability to distinguish itself from the rest based on merit and merit alone.
GULREZ JAMADAR, CISSP, CISA, is an information security consultant with International Network Services. He has a background in development of IT policies and procedures, architecture design and deployment.