The reputation of the service provider is an important aspect which should be taken into account. You should put a special focus on the quality, trustworthiness, independence and technical expertise of the providers.
Quality is reflected in certificates, detailed blog entries and reports in trade journals or customer experiences.
Trustworthiness is of course another important factor, as the contracted service provider will have access to your sensitive company data. Therefore, values, philosophy and sympathy of your company and the penetration test provider should match.
Our founders give in a BSI podcast Insights into our corporate philosophy.Independence is also important, because the sale of hardware and software solutions should not be the focus. Thus, a reputable pentest provider acts as an objective expert and independent consultant.
There are some indicators for the technical expertise and competence of a penetration test provider: First, experience plays an important role. After all, it takes time and constant training to build up a great expertise in the field of IT security. Secondly, research and further development at the service provider's own company are also relevant. The provider should always be up to date on the latest security gaps and vulnerabilities and continuously develop further in order to be able to advise you comprehensively. Because an outdated status can have fatal consequences.
The consultation of the company by the potential penetration test provider is the cornerstone of a good cooperation. For this reason, you should make sure that the provider addresses your needs and expectations. Every company should be viewed in a differentiated manner, as it depends on individual protection. Your corresponding penetration test should be structured just as individually. A good indication of a professional penetration test provider is therefore that many questions about your infrastructure to be tested are asked in the quotation process, in order to be able to coordinate the type and scope of the test as precisely as possible.
In the quote situation, ask how the penetration test provider performs the analysis. There are very different approaches, where the risk in data collection is very different. However, as is so often the case, there is no right or wrong here - but the procedure should meet your needs and expectations:
Every penetration test provider should follow a clearly structured process in their pentest to avoid irritation and deliver the maximum test results. The penetration test process is the framework of the project.
Here, information about the contact person, the time schedule, the coordination dates, the test period and completion of the project should be clearly communicated so that you are always up to date and not restricted in your daily business.
A proper pentest is always based on the function of the infrastructure under test. In other words: On the other hand, if you have one server with low functionality, the test will probably be very fast. If you have 100 servers, the test will take longer. Therefore, the effort for the test should be based on the infrastructure.
The implementation format and clearly defined methodology reflect the quality of the penetration test. Therefore, attention should be paid to the implementation. An automated penetration test will not meet your individual needs because it can only act superficially. These security assessments give a flawed sense of security and hide additional risks.
A manual pentest, on the other hand, can be optimally adapted to your individual protection needs and leads to you receiving comprehensive results.
To round off a penetration test, the "human" risk should not be disregarded by the penetration test provider. Therefore, find out whether the topic of social engineering is covered, as this is often neglected. In addition, you can improve the user awareness of your employees through IT security training.
Documentation is the heart of a penetration test. This report should comprehensively and thoroughly record all security risks and vulnerabilities.
You should pay attention to the format in which this information is transmitted. Ideally, there should be different versions for management and IT with recommended actions and a comprehensive presentation. This ensures that you are actually dealing with IT security experts. After all, only those who also understand their craft can also convey this in an understandable way.
The search for the right penetration test provider is complicated and extensive. But with the 5 tips mentioned above, we would like to help you make an informed decision.
This way, you can put potential penetration test providers through their paces even without technical expertise.
