Today’s business heavily depends on IT systems for routine everyday tasks. It’s a key reason IT security has become such an important topic of boardroom conversations. Insecure systems mean a higher risk of disruption, data loss, financial loss, reputational damage, and regulatory noncompliance.
Penetration testing (or pentesting) has grown in importance as organizations of all sizes strive to secure their information systems. A system’s owner and the developer may have blind spots when evaluating its security, so hiring a penetration testing company such as Emagined Security is essential. Penetration testing vendors, however, come in numerous shades.
You want to be certain that the vendor you pick is fit for the job. Here are some of the more critical factors you should take into consideration.
1. Type of Pentest
What type of penetration test (pentest) are you looking for? Is it a network/infrastructure test, a mobile application test, a web application test, a desktop application test, or a database test?
How would you like the test performed? It could be a black box, white box, or grey box testing. Black box testing occurs when the tester has no prior knowledge of the system. It’s the perspective of an outsider.
Grey box tests are done with limited knowledge of the system environment. It mirrors the viewpoint and authorization levels of an authorized system user. White box tests are performed with extensive knowledge of the underlying design and structure of the test environment.
The different types of pentests require distinct skill sets, knowledge, and tools. Choose a vendor who can demonstrate experience in the exact kind of pentest you are looking for.
2. Data Protection Procedures
A good pentester will have an exceptional ability to access and manipulate your system’s confidential data. Ergo, they must show that they will process and store this information securely before, after, and during the test. You are entrusting your organization’s most sensitive data to a third party. It’s only fair that they provide a feasible explanation of how they’ll handle it.
Key questions to ask include how the data is transmitted, stored, and erased. Find out how long the pentester will retain your records.
Enquire if they have ever been hacked before. While it might be surprising that a pentester would tell on themselves, ask anyway. Being hacked doesn’t necessarily mean the pentester is incompetent. But if it was due to an easily avoidable loophole, you might want to reconsider working with them.
3. Liability Insurance
Despite their best efforts, a pentest could go wrong and have unintended negative consequences. So before you sign a contract with a pentesting vendor, confirm that they have liability insurance. The insurance cover will provide business protection in the event that the liability risks materialize.
For instance, if the pentesting causes damage to your physical or technology infrastructure, the insurance cover can remedy the subsequent loss. A penetration testing vendor is in the business of data protection and information risk management. A valid liability insurance cover is proof that they take responsibility to safeguard the customer’s environment seriously.
Money should never be the primary factor in your choice of a vendor. Still, every business has limited resources and cannot afford to spend just any amount quoted. Different vendors will quote different costs for the tests.
If you’ve had a pentest done on one or more of your systems before, then you likely have a rough idea of how much it will cost you. Therefore, you can come up with a realistic budget up front.
On the other hand, if you haven’t commissioned a pentest before, you are better off listening to how much different vendors charge. After that, you can determine what fee is acceptable for you. When comparing vendor quotes, make sure it’s like for like. Just because an action is referred to as a pentest doesn’t mean it will be the same process by every vendor.
These four are certainly not all. Other things you should ask for from prospective vendors include relevant references, sample reports, project management expertise, and test methodology. Checking these things improves the likelihood of getting value for your money.