Choosing a penetration testing firm can be a difficult undertaking. When you search for penetration testing on the internet, you’ll come across adverts from various well-known security companies. It’s no secret that these security firms pay a lot of money to have their adverts appear when you search, and that expense is usually passed on to their clients. When it comes to pen-testing, it’s not uncommon for potential clients to encounter sticker shock, and they may wonder if they’re receiving what they pay for.
Unfortunately, some businesses place their trust in high-cost testing, believing that if they pay more, they’ll get better service. To some extent, that way of thinking is unsurprising. On the one hand, you want your test to be completed correctly and with a high degree of skill. On the other hand, you don’t want to be taken advantage of by paying an exorbitant fee for shoddy work. So, how can you sort out the low-value possibilities and locate a qualified provider for a fair price?
When looking for a qualified penetration testing vendor, ask the following questions:
What Credentials Does This Aspiring Pen-tester Have?
This is a crucial inquiry. At the same time, it’s true that just having a certification doesn’t make you a 
good pen-tester. It’s an excellent place to start when determining how serious a vendor is about training personnel and staying current with industry best practices and standards. Many auditors and customers will want to see that pen-tests are performed by individuals that hold at least one of the standard penetration testing certifications available. Some of these certifications include:
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH)
- GIAC Certified Penetration Tester (GPEN)
As a note of caution regarding pen-testing certifications, each credential is not equal in value. For instance, the Certified Ethical Hacker certification is sometimes dismissed by security experts as having little value. Rather than demonstrating real-world hacking skills, some certificates just show that a person can pass a multiple-choice test.
In our opinion, at Backbone Security, the Offensive Security Certified Professional credential should be considered the gold standard for pen-testers. Attaining this certification requires an understanding of sophisticated tasks and employing real-world hacking skills during a 24-hour test. To make the difference between specific certifications more clear, consider an example. An OSCP will have demonstrated that they can write and deploy a custom buffer overflow exploit. A CEH might have picked “buffer overflow” as the correct answer on a multiple-choice exam.
With that said, Backbone Security requires their penetration testers to hold, at a minimum, the OSCP credential.
What Is This Penetration Tester’s Experience?
Would you be excited if you heard that you are a surgeon’s first actual patient? Even if they came from the best medical school, such a lack of experience would likely leave you with some significant doubt. In the same way, certifications alone don’t mean a penetration tester is qualified. So, a review of a tester’s experience is advised.
Here’s A Few Things That Will Help You Assess A Penetration Tester’s Competency:
- How many years have they been professionally pen-testing?
- Has the tester been used in assessments of a similar size and scope to your environment?
- Can the penetration tester provide references?
Anyone with a reasonable amount of experience should be able to provide references of satisfied past customers. Ideal references will include customers that are similar to your scope and industry. If you are a significant financial organization shopping for the best vendor, it won’t make sense to accept a reference for the test against a small taco stand. And then make sure to check the provided references. Find out what they liked about a penetration testing vendor. You might consider asking questions like these:
- How long did the penetration test take to complete?
- How would you rate the tester’s communication throughout the entire process?
- Were they willing to provide reporting and documents customized for your needs?
- Is this price too reasonable won’t be true?
A final question you’ll want to consider is whether or not the pricing makes sense. As mentioned earlier, some vendors are vastly more expensive than others. But what about when the penetration testing cost seems too low? In many cases, ultra standard cost penetration testing is simply bait-and-switch. Some vendors run automated vulnerability scans and call pen-testing instead of getting penetration testing by a competent security expert. Don’t expect this to pass muster with auditors or your customers. In some cases, these so-called pen-tests might squeak by, but you run the risk of spending the first time and then having to pay again to get it done correctly by someone qualified.
A penetration test usually takes many hours and even days or weeks to complete. Let’s quickly do a sanity check. Does it make sense that an ultra-low-cost penetration test would cover the hourly pay for a certified security expert? Not likely. With that in mind, there is a sweet spot for penetration testing – a blend of expert-level penetration testing at a cost that makes sense.
< Previous | Home | Next >