Data breaches and multiple cyberattacks against companies
of all types and sizes
in the now predominant digital world
continue to increase.
(See information here
on the previous year’s cybercriminal trends.)
Many of these companies have realized the need
to use security testing
on their systems
to determine if they are vulnerable to potential threats
and carry out the required improvements ASAP.
However,
some companies may only be limited
to complying with industry standards
and consumer protection regulations
such as HIPAA,
PCI DSS,
and GDPR.
One way or another,
the Penetration Testing
(pentesting) solution has been gaining more value and popularity
in security assessment over the years
among organizations beyond government agencies and banks.

For this reason,
the pentesting market has become much more extensive,
with more and more pentesting vendors offering their services,
making it increasingly complex
to choose for companies interested in their implementation.
As the professional pentester Elliot expressed at Security Boulevard
last year,
“Selecting a penetration testing company can be a daunting task.
It’s an industry plagued with misleading sales tactics,
weak certifications,
and simply unqualified professionals.”
As a consequence,
different companies and individuals
involved in cybersecurity
have been suggesting through their social media
some tips to take into account
when choosing pentesting providers.

Before going with those tips
to better understand the market,
let’s get a little more familiar with the concept.
In the late 1960s,
so-called ‘tiger teams’ began to emerge
to test the ability of government and business systems
to resist cyberattacks.
Among the pioneers of penetration testing development is James P. Anderson,
who in the 1970s established final testing steps
for those tiger teams.
However,
it seems that it was only recently,
in 2009,
that a penetration execution standard was defined
to test systems for ways to breach them
and gain access to data.
This rigorous approach combines manual procedures by ethical hackers
and automated checks by tools,
the former being predominant.
In short,
pentesting is a security assessment
with a simulation of genuine attacks
to identify vulnerabilities
that cybercriminals could exploit
in a particular environment.

A year ago,
Charles Horton published a post
for NetSPI
outlining four attributes
that you can consider when choosing an appropriate pentesting
and vulnerability management team
for your organization.
Initially,
he refers to the undeniable importance of having a talented group.
Each of the pentesters should have the ability
to view the targets through the eyes of malicious hackers.
They should be agile in acquiring knowledge
and improving techniques
to employ according to the needs of their clients
and the new complexities in their field.
Of course,
you should verify that it is really a team
that you will link with your staff
and not a single individual
on whom falls all the weight and responsibility.

In relation to the talent attribute,
we can see that other sources
(e.g., Infosec
and Intruder)
also talk about certifications and experience.
They recommend that you look for pentesting teams
with members holding industry-recognized professional certifications
such as CEH, CRTE, OSCE, OSCP, OSWE and OSWP.
Some confidence may be generated by such credentials
regarding the competence of the pentesters.
But beware,
they should not be taken as a sufficient measure
to choose a team!
As Elliot says,
the certifications “still fall very short of [what’s] expected
of a skillful pentester.
Remember that certification bodies
inherently must target a large enough group of people
to stay profitable.”
Instead,
he invites you to pay close attention to companies’ git repositories
as well as their research and publications.

As a second attribute,
Horton highlights the ability of the team
to maintain standardized and,
at the same time,
customizable pentesting processes.
Through standardization
(as can be done,
for instance,
with pentest checklists),
a specialized company should guarantee consistent results
across different evaluation projects.
As for customization,
they should demonstrate that
they can recognize the similarities and differences
between their customers’ needs
and are able to adjust to them
in their penetration testing.

Customization is related to flexibility,
an open mindset,
a quality that a pentester must possess.
The analysts you choose
for the assessment of your organization’s security
should be curious and creative,
always interested in learning new techniques
and about environments in which to simulate attacks.
Of course,
to ensure that there is an appropriate match to your needs
by the pentesters involved,
keep in mind the words of Andrew at Intruder:
“make sure your potential provider has relevant experience
in the types of technology you’re working with.”

In a third point,
Horton mentions that
an excellent pentesting team for your business
should know how to handle and present the data
obtained from the analysis.
All this in a way that facilitates your staff
to quickly and effectively remediate vulnerabilities.
It is the pentesting force with its tools
that should organize detailed reports
and prioritize the findings for you,
saving you some administration headaches.
Following Brecht at Infosec,
pentesting reports can be swamped with technical jargon,
which would mean a problem.
This is why the ability to communicate complexity
in understandable terms for non-technical executives
is highly valued.
So,
request, review and compare sample reports from providers!

We can also add to the above that
it is strictly necessary that
the company providing the service allows establishing a documented pact
of confidentiality and data security.
Beforehand,
there must be liability insurance from the vendor
to protect your company from any damage or loss
related to your systems and information assets.
Additionally,
you must know who will be the pentesters
in charge of conducting the tests
and how the data will be managed,
requesting information such as names and bios.

Horton ends with an attribute
that emphasizes the collaborative quality of the pentesting team.
From the outset,
the members of these evaluation groups should be trained
to possess a collective mindset.
Beyond sharing knowledge internally,
collaboration is about expanding it,
delivering it to others outside the corporate boundaries,
and contributing to a community dedicated to cybersecurity.
We can add here that
the pentesting team should know
how to keep constant and clear communication with your staff.
They should always provide feedback on progress,
difficulties and results,
along with valuable recommendations for action.

Selecting a competent penetration testing provider is not a simple task,
but it is ideal for detecting vulnerabilities in your systems and
keeping your organization healthy.
If you are looking for a penetration testing service provider
for a long-term partnership,
we can show you how
we at Fluid Attacks meet all the attributes listed here
and even more.
We are a company
that recognizes the fundamental value of manual analysis in pentesting,
so we employ automated tools
but overcome their flaws through human hackers’ efforts.
We are among those who offer you reattacks
to confirm that the vulnerabilities have been successfully remediated.
Moreover,
we surpass the typical number of two or three professionals per project,
reaching an average of 15 ethical hackers!

Do you want to know more about us?
You can check here our repository
and here our customer reviews.
For more information,
don’t hesitate to contact us!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/choosing-pentesting-team/