Penetration Testing Provider Selection
Not every company offering penetration testing services automatically provides high-quality results. This poses a challenge if you have no expertise internally to select a suitable service provider.
Here are a few tips and recommendations on how to find a good penetration testing provider:
- Companies that specialize in security services often provide better penetration tests than companies that "also" do pentests in addition to entirely unrelated services.
- Sometimes even security companies use penetration tests to pitch their "main" product. Picking a company where the main products are related to security consulting (including pentesting) is often a safer bet.
- Most highly qualified penetration testing providers run a blog where they provide technical details of security vulnerabilities and research they have recently conducted. It also helps to look for "CVEs", that is, vulnerabilities, in standard software that the company identified in the course of their work.
- Presentations at industry conferences such as BlackHat, DEF CON, Hack-in-the-Box, CanSec West, etc. are usually a good indicator that the company has the required expertise and experience.
- Even within qualified companies, expertise between individual people can vary significantly. To get the most out of a penetration test, request senior security consultants, ideally folks credited with having found security vulnerabilities (CVEs), or who have presented at industry conferences.