10 Questions to Ask your Penetration Testing Service Provider

Request a quote
04 Apr, 2019

10 Questions to Ask your Penetration Testing Service Provider

Penetration testing is an important activity – from the perspective of your organization’s security as well as compliance with existing laws and regulations. To ensure that a penetration test simulates a real-life attack, many organizations prefer availing services of an external service provider. To choose a particular penetration testing service provider is indeed a difficult task. Our experts have compiled a list of 10 questions that you must ask a potential penetration testing service providers in order to ease the selection process of a service provider.

1.    What are the certifications held by your company?

Certifications are a mark of credibility as a certified service provider is bound to follow industry-standard practices. To start with, you should check whether a penetration testing service providers is CREST (The Council for Registered Ethical Security Testers)[1] certified or not. Among other certificates, you must check ISO/IEC 27001:2013, PCI DSS, and compliance with the HIPAA and the GDPR.

2.    What is your penetration testing methodology?

There is no ideal answer to this question. Every organization is different in terms of infrastructure, people, technologies, objectives, challenges, etc. or in other words, there is no one size fits all approach here. However, a specialist or your point of contact with the penetration testing provider must be able to walk you through all the methodologies and come up with a plan that suits your organizational needs. The Penetration Testing Execution Standard (PTES)[2] is considered as a good base on which a penetration test can be planned for your organization.

3.   What are the things covered under your penetration testing report?

A penetration testing report is critical for your organization as it assists you in understanding the weaknesses of your technical infrastructure. Even after a test has been completed, a well-documented report can serve as a good reference point for the internal team to plan their operations. You can ask a service provider to either show one of their previous reports or their sample report. An ideal penetration test report must contain –

  1. Executive Summary
  2. Vulnerability Overview
  3. Vulnerability Details
  4. Risk Score (such as CVSS)
  5. Action Plan for Remediation
  6. Conclusion

4.   How do you maintain internal security in your company?

A penetration test may uncover some serious vulnerabilities in your technical infrastructure which can significantly impact your business operations at large if exploited successfully. All this information remains stored with a service provider even after a penetration test has been completed. You should ask how the concerned service provider will ensure the security of confidential data and what are the steps taken to maintain an adequate level of security?

5.   Does your penetration testing service include remediation service?

Many times, we have seen that an organization avails a penetration testing service and after a test is concluded, they only end up getting a basic vulnerability scan and nothing more. A penetration testing service provider may conduct an in-depth test but may not offer remediation of the vulnerabilities while some service providers believe in building trustworthy relationships in the long-run and offer full-fledged remediation services. As a decision-maker for your business, you should prefer the latter over the former.

6.  Have you made any vulnerability disclosures recently?

If a penetration testing service has ongoing research projects, two conclusions can be drawn – first, the team has the technical capability to think outside the box and deep dive into the existing security problems, and second, the penetration testing provider cares about improving the quality of its services. It is also possible that an individual’s skill set can either break or make a penetration test. Some of the indicators of a good penetration testing service providers are building new security tools, regularly identifying zero-day vulnerabilities, researching on security aspects of new technologies, etc.

7. Is your penetration testing service automated or manual?

Automated tools are a good starting point in a penetration test but they have their own limitations and hence, they might miss important and high-risk vulnerabilities. These limitations can only be overcome with extensive manual testing by qualified personnel. As a matter of general practice, at least 80% of the total testing activities should be manual and the remaining should be tool-based.

8.  Who would be conducting a penetration test and what are their qualifications?

So often, penetration testing providers sell their services in the name of their most senior expert and at the time of an actual test, they send junior personnel without sufficient experience. This might not be the case with every penetration testing service provider, but it may lead to poor test, testing incidents, and direct impact on your business. So, when you are meeting with a potential service provider, thoroughly ask for the details such as qualification, background, work experience, etc. of the personnel who will be actually performing a penetration test on your organization.

9.   Do you perform background and screening checks of your team members?

As you would have seen, many of the questions given above revolve around the security and confidentiality of sensitive data about your organization. Hence, it becomes essential that the team members of a penetration testing service provider come from a good background. For example, you might not want an individual convicted multiple times for data theft to perform a penetration test on your network.

10.  Will my services remain available during a penetration test?

A penetration test is a simulated attack and for any service provider, it is not practically feasible to guarantee the availability of your services during a test. While at the same time, the testing team should know which attack weakens a system and which does not. Moreover, you can also share relevant information about less-robust systems or networks in your technical infrastructure. A good service provider will definitely work closely with you to address operational concerns and continuously monitor all the systems in your technical infrastructure to control disruption in service if any.

We hope that these questions will help you in deciding a suitable penetration testing service provider for your business. In case you have any further queries, feel free to write to us at (email).


References

[1] https://www.crest-approved.org/

[2] http://www.pentest-standard.org/index.php/Main_Page