The reputation of the service provider is an important aspect to consider. You should place a special focus on the quality, trustworthiness, independence and technical expertise of the providers.
Quality is reflected in certificates, detailed blog entries and reports in trade journals or customer experiences.
Trustworthiness is of course another important factor, as the commissioned service provider has access to your sensitive company data. That is why the values, philosophy and sympathy of your company and the penetration test provider should match.
Our founders give in one Podcast of the BSI Insights into our corporate philosophy.Independence is also important because selling hardware and software solutions should not be the focus. A reputable pentest provider thus acts as an objective expert and independent consultant.
There are several indicators of the technical expertise and competence of a penetration testing provider: First, experience plays an important role. After all, it takes time and constant training to build up great expertise in the field of IT security. Secondly, research and further development are also relevant for the service providers in their own company. The provider should always be up to date with the latest security gaps and vulnerabilities and continuously develop in order to be able to advise you comprehensively. An outdated status can have fatal consequences.
The advice of the company by the potential penetration test provider is the cornerstone of a good cooperation. For this reason, you should make sure that the provider is responsive to your needs and expectations. Each company must be viewed differently, as it depends on individual protection. Your corresponding penetration test should be structured just as individually. A good indication of a professional penetration test provider is therefore that many questions are asked about your infrastructure to be tested in the quotation process in order to be able to coordinate the type and scope of the test as precisely as possible.
In the offer situation, ask how the penetration test provider performs the analysis. There are very different approaches where the risk of data collection is very different. However, as is so often the case, there is no right or wrong here - but the procedure should correspond to your wishes and expectations:
Every penetration test provider should follow a clearly structured process for their pen test in order to avoid irritation and to deliver the maximum test results. The course of the penetration test is the framework of the project.
Information about the contact person, the timeline, the coordination dates, the test period and the completion of the project should be clearly communicated here so that you are always up to date and not restricted in your day-to-day business.
An appropriate pen test is always based on the function of the infrastructure to be tested. In other words, if you have a low-functionality server, the test will likely run very quickly. If you have 100 servers, the test will take longer. The effort for the test should therefore relate to the infrastructure.
The implementation format and the clearly defined methodology reflect the quality of the penetration test. Therefore, attention should be paid to implementation. An automated penetration test will not meet your individual needs because it can only act superficially. These security assessments convey a false sense of security and hide additional risks.
A manual pentest, on the other hand, can be optimally adapted to your individual protection needs and will result in you receiving comprehensive results.
To round off a penetration test, the "human" risk should not be ignored by the penetration test provider. Therefore, find out whether the topic of social engineering is covered, as this is often neglected. In addition, you can increase the user awareness of your employees with a IT security training improve.
Documentation is the heart of a penetration test. All security risks and vulnerabilities should be comprehensively and thoroughly recorded in this report.
You should be careful about the format in which this information is transmitted. Ideally, there should be different versions for management and IT with recommendations for action and a comprehensive presentation. This ensures that you are actually dealing with IT security experts. Because only those who understand their craft can also convey this in an understandable way.
The search for the right penetration test provider is complicated and extensive. But with the 5 tips mentioned, we would like to help you to make an informed decision.
In this way, you can put potential penetration test providers through their paces even without technical expertise.
We use cookies, and Google reCAPTCHA, which loads Google Fonts and communicates with Google servers. By continuing to use our website, you agree to the use of cookies and our privacy policy.