Problem solve Get help with specific problems with your technologies, process and projects.

Questions for prospective pen test consultants

As the information security officer for a financial institution, what questions should I ask prospective penetration...

testing consultants before I agree to the test?

While this list isn't exhaustive, here are a few that I would ask:

  • How much experience do you have in performing penetration tests? Can you provide some references of former clients? (Check the references, don't just assume they are valid.)
  • What steps do you take to ensure that your penetration testers do not maliciously destroy data on our systems should they successfully get in? Have you run background checks of any kind on your employees?
  • Will you sign an agreement not to disclose any information that you might obtain as the result of a successful penetration?
  • Describe what you will do for penetration testing. Are you doing anything more than running vulnerability scanners?

    Also, a good paper to read on this subject is, "Penetration Testing -- Is it right for you?", by Jimmy Braden, available on the SANS Institute site.

    For more info on this topic, please visit these SearchSecurity.com resources:
  • On-demand webcast: Audits, assessments and penetration tests
  • Best Web Links: Infrastructure and network security
  • This was last published in December 2003

    Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.