There are several reasons why your business might be looking to hire a penetration tester. For many businesses, first penetration testing comes at the request of a potential business partner. To close a large deal, your partner asks you to hire a penetration tester to verify your security. software of your team. As part of the contract, you will categorize the vulnerabilities they reveal and correct any important issues. Other companies want to do penetration testing as part of the process to increase their security. Maybe your company is trying to secure a big one investment, take on larger customers or are on the verge of being acquired.
Whatever the reason, choosing who will do the penetration test is a process you have never done before. Usually, you need to find someone in a short time. However, you do not want to find someone who will do a bad job and you do not want to pay more than their skills are worth. A penetration test is an opportunity for your business to improve your security attitude. Many companies make the mistake of paying for a real penetration test, and then immediately ignore all the results.
So how do you choose the right pentester, quickly and at an amount that fits your budget? In this article, we will look through some tips on how to find the right person.
Use your business network
This tip seems obvious, so it's the first on the list. It is also a piece of advice that their leaders forget operational. Many business leaders will pass on the research for a penetration tester. Assigning a job like this may not seem very appealing to you but if you are evaluating potential testers yourself you will definitely make the best choice, especially if you also get recommendations for specific individuals or companies that are penetrating testing in your business.
Using your network to locate a pentester is more than just asking who is good. Instead, you can use your network to get a taste of the skills of the person you are likely to hire. For example: the most critical ability for a penetration tester is communication. At the end of a contract, your pentester will generate a report. This report will describe the vulnerabilities identified, how they were found and their relative severity. A key aspect of this report is that it is designed to be understood by both the technical staff and the business leadership. This means that you need to find someone who is extremely communicative.
Beyond understanding the basics skills and other forms of communication, another thing your business network can guide you with is the tester methodology. Like professionals in all fields of work, penetration testers have their own style of work. Some tend to keep it to themselves, while others report on the way their teams work. Some will simply record each vulnerability while others will sit down with your technical staff to explain where a vulnerability comes from and how to avoid it in the future.
By talking to people in your business network, you can ensure that the tester you hire meets the needs of your team.
Check their credentials
In most of the technological world, certifications do not play a very important role. This is not the case in the world of penetration testing. There is some penetration testing that is very important. If your pentester has one (or more) of these certifications, you can be sure they know the basic skill level. The best security certifications are also accompanied by a moral element that certifies that the controller will not use the knowledge he or she has acquired about your system to invade it later. You don't want to hire a pentester to identify vulnerabilities in your system, and then end up stealing your customer data.
In the world of penetration testing, three certifications are considered quite good:
- The certification Certified Ethical Hacker
- The certification GIAC Penetration Tester
- The certification Offensive Security Certified Professional
Any tester with one of these certified certifications is likely to serve your business well.
Make sure they have experience
Penetration testing is a difficult field. As a rule, you don't want to hire someone just starting out. Your business pays good money to hire someone to find vulnerabilities in your software. They really need to do that. Unfortunately, it can be difficult to know if your pentester is very specialized. The fear is double if they have none certification. Sure, if they've taken twelve penetration tests, for example, but you haven't been verified by someone you trust, you don't know how well they did. It is just as likely that all their previous work is NDA-covered (non-disclosure agreement).
Many larger companies (such as Google) will run bug fixes where they will pay security researchers to find bugs in software their. This is not a real penetration test, but it is very close. Finding a pentester who has gone through the vulnerability bounty program with one or more companies is likely to be a good choice. Knowing how to identify and describe errors means that they have many of the required skills needed to be a good penetration tester. Bug bonties also serve as a good moral test. A tests who finds vulnerability and discloses responsibly to the company in charge is likely to be someone you can trust.
An even better test of ethics is to expose vulnerabilities in public. This is a process by which security researchers uncover public vulnerabilities in various software without being paid. Maybe the software has appeared in a database. Finding publicly revealed vulnerabilities is not fun, but it is better than learning about them because someone took advantage of them.