Choosing an independent penetration testing firm

Looking for an outsourced pen testing solution? It's an important decision, and one you should approach strategically and methodologically.

TL;DR

There are three overarching areas to consider:

  • Your requirements. To get the best value for your investment you need to know what you need help with, is it a pentest? Or just a VA? Or help with some basic security awareness training for your development team?
  • Trust and experience, can someone recommend you a trustworthy security vendor? If no, then for each prospective partner try to figure out what the firm’s background is. Have they worked with clients in your industry? Are they interested in your business? Do they perform any research in areas that are relevant to you?
  • Their approach, who will be delivering your assessment? Do they understand your business and motivations? What is their workflow like? Do they have a process in place to ensure consistent, high-quality results every time?

What are your exact pentesting requirements?

Often, teams perform security projects without questioning why they're doing it. None of these are acceptable reasons:

  • We made a change in the app and the policy says we need to have it pentested.
  • We deployed a new server and IT said we need to pentest it.
  • A year has passed since our last test and we have to do it again.

You need to have a clear goal in mind before choosing a pen testing consultancy.

What do you need from an outsourced solution?

There are several questions to ask yourselves before looking for an external solution. While there's no conclusive list of questions, these are a good start:

  • Do you know what a penetration test consists of?
  • Do you need penetration testing?
  • What would be the goal of the tests if you performed them?
  • How often would you need pentesting?
  • Do you have any in-house resources?

How do you go about answering these questions?

You may have internal knowledge in your team that can answer some of these questions. You may be able to answer them already.

The next step is to write them down, share them, and get feedback. Document your exact requirements and seek internal agreement before reaching out to vendors.

If you don't know exactly what you're looking for or there is internal disagreement, you need to figure it out:

  1. Reach out to industry colleagues in similar roles/companies/industries.
  2. Ask around at the next conference you go to.
  3. Bring in an independent consultant for a couple of days to help you gain an understanding of your requirements.

When you reach out to vendors, ask them to define what they believe your requirements to be as part of their pitch. Look for synergy between what you believe you need and what they believe you need. It helps you confirm that they have your best interests in mind.

Do you need penetration testing specialists?

Should you go for a general IT contractor or a security specialist? There is no clear-cut answer and it depends on your needs more than anything else.

I’ve worked with big integrators where the security team was virtually non-existent. Of course, that didn’t prevent the business from selling security services. ‘Security consultants’ do IT deployments or code Java until a security project arrives. They then gather in a team and deliver it.

This may work for you or not, but you need to know before finding an outsourced pentesting solution. If you need support in several areas, it might make sense to choose a generalist consultancy.

Where does remediation sit in your company?

Are you looking for a more traditional pentesting consultancy? One where they complete testing, create a report, and hand it back to your team for remediation. Or are you looking for a consultancy that will support you through the journey from findings to fixed?

Make a shortlist of options

Once you have an idea of your needs, start some initial research. Most of this can be done online, but it’s a good idea to reach out to the infosec community too. People are usually happy to share their experiences.

Assuming that you have decided to go for a security testing company. There are some important factors to consider before, and after reaching out to potential firms.

Before reaching out

Look for trust signals:

  • Can you find reviews/references online?
  • Do the usual due diligence and check if they're registered as a company, etc.

Decide whether it’s important that they’re active in the community

There’s a school of thought that good penetration testing companies should be attending conferences and publishing research papers.

That’s not necessarily true anymore. There are three issues to consider:

  1. Not all conference speaking slots are created equal, and not all of them are earned on merit.
  2. There are more consultancies than speaking opportunities. You might be overly narrowing your search.
  3. Consultancies like to be lean. Some will sacrifice putting time into research in favor of serving their clients.

If you conclude that it is important to you, don’t approach this as a ‘tick box’ exercise, where all consultancies that have appeared at a conference, or published research, qualify for your shortlist.

For conference appearances, consider:

  • Analyze the contents that were presented.
  • Was it really research or does the company employ a well-known industry expert who is regularly invited to speak at the conferences to give their opinion on the state of the art?
  • Does the research have sufficient breadth and depth or was it put together in a rush to have it in time for the conference?
  • Was it relevant to your business? Even if a well-known company has someone finding amazing bugs in some cutting-edge technology like NFC, you may be better served by a lesser-known company presenting on an SAP testing methodology or on the SAP testing toolset they have created over the last few years doing this type of testing.

And for published research:

  • Are the advisories in technologies your company uses? If all their advisories are on Microsoft-related technologies and you are a Linux/Solaris shop, that wouldn’t help.
  • Is the research recent enough? The security industry changes quickly and even though security specialists are fairly loyal to their employers, they move on from time to time. Verify they are still around to help your company.

Questions for your final shortlist

When you have a shortlist of 3-4 firms you think may be a good fit, it’s time to reach out and start having some conversations with them. When you do, there are some things you’re going to want from them.

Ask for references

Ask them to put you in contact with organizations of a similar profile to yours. It’s important that they are of a similar profile or otherwise their feedback might not be as valuable. If you are an SME owner in the tourism industry, a reference by the CSO of a huge high-street bank is of little value. Chances are they are pouring money over the vendor and the firm is bending over backwards to ensure the bank is fully satisfied.

Ask for examples of similar projects they have undertaken.

Don’t satisfy yourself with a conference call or conversation on the subject; consultants (security or otherwise) are paid to sound good even when they aren’t experts in what they are talking about. Try to push for a sanitized report (not the marketing sample) to see what a real-world deliverable looks like (more on this later). This is a very technical service you’re shopping for. You have to be able to trust both the management team and the technical team in the firm. There are several things you can look into when trying to establish that trust.

Don’t forget the legal bits

This falls a bit out of the scope of this article in the sense that has nothing to do with the firm’s technical competence. However, it is essential you consider these points as part of your due diligence process.

  • Does the company carry sufficient insurance and reasonable legal agreements?
  • Are there any NDA terms that you need to discuss with them?
  • Does the firm hold any relevant certifications that your company might care about (e.g., ISO 27001)?

What is their approach to testing?

Ask vendors under what circumstances would they advise a customer to bear the risk of a vulnerability. If they can’t give a good example of this you might be dealing with someone who views security in a vacuum and doesn’t consider other business factors when framing recommendations.

Your vendor’s approach needs to be aligned with your business goals. This type of question should be asked to the people that will be directly involved in the technical delivery of your projects and not to your salesperson or account manager. At the very least, you should have a conversation around this with the head of the pentest practice (or technical director).

Ask about their team

When working with a technical consultancy, the bigger it gets, the bigger the risk of being affected by the “team lottery”: The variation on service you will notice depending on who gets assigned to deliver your projects. There are two factors that can minimise the risk of the team lottery: The company’s workflow/methodology and the overall composition of the team.

Remember that companies don’t perform penetration tests, people do. So no matter which company you go to, it always boils down to the person you have working on your account.

Cut through the sales layer and try to reach the technical director or pentest practice leader. If you are going to spend any significant amount of money request a conversation with the testers assigned to your project. Or at the very least request their CVs/bios.

Do they have experience working under your requirements?

Does their general work experience makes you comfortable (e.g. someone that just started their pentesting career may not be the best fit to test your critical AS/400 mainframe)?

If in doubt request a conversation or find out if someone else can be assigned to your project. Scheduling is very fluid in pentest firms and they should be able to accommodate such requests. The goal of this exercise is to minimise the team lottery by being vigilant and pushing back.

The firm’s size is also a factor, the bigger the consulting organization gets, the more likely the consultants will be generalists as opposed to specialists. This may or may not be an issue for you. Depending on your requirements, your needs may be better served by a generalist.

  • You don’t want a reverse engineer who specialises in subverting DRM libraries for embedded systems running your external infrastructure pentest.
  • You also don’t want a generalist looking at your DRM library.

Finally, figure out if the company subcontracts any work. Don’t get me wrong, some of the finest testers I’ve worked with wouldn’t change freelancing for any job in the world. However, when third parties are involved you have to double-check the situation with the firm’s legal coverage (e.g. liability insurance) and the due diligence you performed on the main team’s technical leadership and members of the team should be extended to any third parties and contractors.

What workflows, tools and methodologies are they used to?

Even if they have a bunch of great people in the team, there are still some important things to consider about the firm’s methodology and processes.

The first one is the testing methodologies the company has for the different types of engagements that will be relevant to your company. It is of no use to you if the company excels at wireless assessments if you just need a code review. Creating and maintaining a high-quality testing methodology is not without its challenges and the bigger the penetration testing firm, the more important their methodology becomes.

There are a number of industry bodies that provide baseline testing methodologies including:

The fact that your point of contact is aware of some of these organisations does not mean that the team assigned to your engagement will follow their methodology.

Have a conversation with the technical director about the methodologies used by the team. And then have the same conversation with the team members assigned to your project. If you get different responses from the technical director and the team members the chances are the firm is not seriously following any defined testing methodologies.

Consider whether engagements are typically run by a single person or routinely involve several testers. Having multiple testers in your project ensures that a wide range of skills and expertise are brought to bear against your systems which maximises your chances of uncovering most of the problems.

If multiple testers are going to be involved in your assessment, how does the team coordinate their efforts to ensure there is no time wasted and that all points in the methodology are covered?

If your test team is on the same page and has the right collaboration tools, you will ensure there won’t be any time wasted, tasks will be split efficiently among the available team members and all points in the methodology will be covered.

What is their approach to testing?

In most cases, when you engage a penetration testing firm, the final deliverable you receive is a security report. Before making your decision and choosing a vendor, it is important that you are provided with a sample report by each prospect. You should also ask how they create their reports and how long it takes them. You don't want to be paying them to spend 10 hours per project when a pentest report automation tool could help reduce that to 3 hours.

The report needs to be able to stand on its own, providing comprehensive information about the project: from a description of the scope to a high-level, executive summary of the results and a detailed list of findings.

It should also provide remediation advice and any supporting information required to validate the work performed by the team (does it look like they attained sufficient coverage?) and verify that issues had been successfully mitigated after the remediating work is performed.

Whilst some of the report sections have to be very technical and full of proof-of-concept code, requests or tool output, the report also needs to present the results of the engagement in the context of your business.

Sure, you found three Highs, seventeen Mediums and twenty Lows, what does it mean for my business? Should I get the team to stop doing what they are doing and fix all the issues? Some of them? None of them?

All findings are not created equal, and some testers get carried away by the technical details or the technical mastery required to find and exploit the issues and forget about presenting them in a context that matters to your business.

In general the more experienced the tester, the more emphasis will be put on the business context around the findings uncovered (of course “experience” is not a synonym for “age”).

As a result, and to try to avoid the team lottery mentioned above, in an ideal world, you would like to be provided with a sanitised report written by the same person that will be writing your deliverable.

This may not be practical in every instance but if you are going to engage on a mid-size or larger assessment, I think it is reasonable to push for this sort of proof to ensure that the final document you will receive is legible, valuable to your business and of an overall high-quality standard.

This week in cyber security

Don't have the time to keep up with the industry? We've got you covered.

This week in Cyber is a weekly email with the latest news, research, and discussions from the world of cyber security. Sign up:

About the Author

Daniel Martin is the creator of the Dradis Framework and Dradis Professional. Follow him on Twitter @etdsoft

Seven Strategies To Differentiate Your Cybersecurity Consultancy

You don’t need to reinvent the wheel to stand out from other cybersecurity consultancies. Often, it's about doing the simple things better, and clearly communicating what sets you apart.

  • Tell your story better
  • Improve your testimonials and case studies
  • Build strategic partnerships

Your email is kept private. We don't do the spam thing.