Selecting the right vendor to conduct penetration testing for your organization can be a challenging task. It’s important to understand how what may seem like a straightforward process can evolve into a multi-week effort. The market offers a wide range of solutions with significant variation in both cost and deliverables. This document offers guidance to help you choose the vendor that best aligns with your organization’s needs.
The Complex World of Penetration Testing Services
There is a wide array of vendors offering penetration testing services online. While some are highly reputable but come with higher costs, others present seemingly comprehensive packages that fall well within budget. However, the notion of “you get what you pay for” does not always apply in this context. A more thorough evaluation of the testers’ qualifications, including their training, experience, and methodology, is essential to making an informed decision when selecting the right vendor for your environment.
Choosing The Right Vendor
The tester plays a pivotal role in selecting the appropriate vendor for penetration testing. An inexperienced tester may inadvertently cause outages or delete sensitive data. When granted high-level privileges, the wrong tester could make irreversible changes to the network or application.
In contrast, a skilled and experienced tester understands the potential risks and takes precautions to avoid disruptions. For instance, upon identifying a vulnerability in a sensitive directory, a competent tester would seek approval to perform a proof of concept and ensure data is backed up beforehand to prevent any loss. Additionally, the tester would be fully aware of the capabilities that come with privileged access and would use it strictly for verification purposes, avoiding any modifications.
Experience
Most penetration testers come from backgrounds in systems engineering, development, or network engineering, having transitioned from defensive roles in security to offensive positions. This shift allows them to leverage their previous experience in their new role. These foundational roles are critical for building the knowledge base needed for penetration testing. However, even with this foundation, testers must continue to develop their skills and undergo specialized training in offensive security.
A penetration tester without a solid foundational background should raise concerns for any organization. Penetration testing is a highly specialized skill set that requires experience and cannot be effectively mastered without first building that foundation.
Certifications
While there are many certifications available in the field of security, the industry has a specific subset that is particularly relevant when evaluating a penetration tester. This section will highlight the key certifications and their requirements to guide the selection process.
OffSec
OffSec offers some of the industry’s most respected penetration testing certifications, which require hands-on, practical experience. Unlike many other certification programs, OffSec exams involve penetrating real-world environments rather than simply answering theoretical questions. Key OffSec certifications include:
OSCE3 (Offensive Security Certified Expert3) – This certification demonstrates mastery of offensive security skills and techniques. Holders of the OSCE3 certification possess advanced knowledge of web applications, penetration testing, and exploit development. The certification process includes three proctored 48-hour exam in which testers must compromise several systems within a network, followed by a 24-hour period to produce a comprehensive report for each.
OSCP (Offensive Security Certified Professional) – One of the most recognized and comprehensive penetration testing certifications, OSCP covers advanced concepts such as Active Directory, network exploitation, application manipulation (e.g., buffer overflows), and custom script development. The certification process includes a 24-hour proctored exam in which testers must compromise multiple systems within a network, followed by a 24-hour period to write a detailed report.
OSWE (Offensive Security Web Expert) – Focused on web application exploitation, OSWE-certified testers have expertise in performing deep analyses of decompiled code and chaining complex attacks to exploit web vulnerabilities. The certification involves a 48-hour proctored exam where testers must compromise a series of web applications, followed by a 24-hour reporting phase.
SANS Institute
The SANS Institute offers a wide range of certifications, covering topics from system administration to advanced reverse engineering. Key SANS certifications include:
GXPN (GIAC Exploit Researcher and Advanced Penetration Tester) – This certification focuses on Windows and Linux exploitation, reverse engineering, and advanced concepts in cryptography, network manipulation, and custom binary development to bypass security mechanisms.
GWAPT (GIAC Web Application Penetration Tester) – This certification specializes in web application attacks and exploits. Testers holding GWAPT certification have in-depth knowledge of the OWASP Top 10 vulnerabilities and are skilled in both manual and automated testing methods.
GPEN (GIAC Certified Penetration Tester) – Designed for penetration testers, GPEN certification covers red teaming, blue teaming, and penetration testing. Certified individuals possess advanced knowledge of domain escalation, lateral movement, web injection attacks, and vulnerability exploitation.
Other Certifications
In addition to the certifications mentioned above, other credentials are often sought by penetration testers. However, the six certifications outlined above are considered the flagship qualifications in penetration testing. A tester with additional certifications in complementary areas, such as networking, can be considered a specialist. For instance, a tester holding both GPEN and CCNP (Cisco Certified Network Professional) or CISSP (Certified Information Systems Security Professional) certifications demonstrates expertise in networking and core security practices.
Paired certifications often reflect the tester’s career progression and expertise in specific domains. Additionally, regional certifications, such as the CREST series, hold significant weight in Europe, as they are governed by a UK-based body.
Asking the Right Questions
Questions for the Salesperson:
- Does the vendor conduct background checks on their testers?
- Since testers may access sensitive information, ensuring the organization performs thorough background checks provides additional security and peace of mind.
- How many testers will be dedicated to my engagement?
- It’s important to confirm that adequate resources are allocated based on the project’s complexity and scope.
- Is retesting offered?
- After the initial test and implementation of remediations, a retest can confirm that the fixes have been successfully applied.
- Can a redacted report from previous tests be shared?
- Requesting a redacted report from similar tests helps verify the vendor’s experience. Ensure the report details an actual penetration test, not just a vulnerability scan.
Questions for the Tester:
- How long will it take to receive the report after testing is complete?
- Set clear expectations for report delivery timelines before finalizing the contract.
- What certifications do the tester(s) hold?
- Ensure the testers are qualified and possess relevant certifications for penetration testing.
- What framework or guideline do you follow during testing?
- A well-defined framework or guideline is essential to ensure consistency and accountability throughout the testing process.
- Will any of the testing be outsourced?
- If outsourcing is involved, consider how data will be handled and secured during the testing process.
- What actions will you take if administrative level access is obtained?
- The tester’s response to this question provides insight into their approach and risk management strategies.
- Will there be a post-test debrief?
- Verify that the service includes a post-test discussion and a comprehensive deliverable outlining findings and recommendations.
- What testing methodology will be used?
- Look for a clear, unscripted explanation of the tester’s approach. Experienced testers should easily articulate their methods.
- How is my data handled, stored, and erased?
- Data obtained during a penetration test is very likely going to sensitive. Ensuring testers have a considered approach to data governance is essential.
Conclusion
When selecting a penetration tester, it’s crucial to focus on candidates with a strong foundational background, blending hands-on experience with advanced certifications. A recent graduate may have theoretical knowledge but lack the real-world experience needed to identify subtle threats. Similarly, an engineer without offensive security training could miss critical details that might lead to network compromises. The ideal tester will have a proven track record, reinforced by credentials that reflect their experience and education.