Home / Blog / General / Key questions to ask your penetration testing provider

December 13, 2018

More than ever, penetration testing is an essential tool for companies to assess their cyber security defences. And as a critical part of an on-going cyber readiness programme, you ought to be periodically reviewing your existing supplier – to keep your testing strategies fresh, as well as ensuring you get the best value and outcomes.

> Keep your pen testing strategies fresh

When evaluating or comparing potential suppliers, you need to ask the right questions, to ensure there is a good fit for your business requirements, the pen tester holds the necessary certification and he/she is experienced in the type of testing you’re after. And ultimately, you can be confident you will get the quality of service you demand.

Penetration testing provider

So what are the key questions to ask your pen testing provider?

1. What certifications do you hold?

Amongst others, we’d highly recommend making sure your pen testing provider is CREST-approved. While there are other recognised bodies, CREST is the gold-standard – a specialist organisation regulating the security industry, helping ‘guarantee’ adherence to industry-standard best-practice, as well as an enforceable Code of Conduct should anything go awry.

CREST-certified pen testing provider

CREST certification means that you can be confident your pen testing will conform to rigorous methodologies, up-to-the-minute techniques, and at the same time operational safety will be given the highest priority.

Whilst CREST is the main certification to look for, there are also other specialist certifications to look for, particularly if you’re in financial services or Critical National Infrastructure (CNI) – as well as others.

ISO 27001 – Information risk management

When discussing certifications, also don’t forget to ask whether the provider has ISO 27001 certification – the essential information security standard, as you’ll want to ensure that the company you engage will keep your sensitive data safe.

2. What’s your pen testing methodology?

Broadly, this is guided by the requirements laid down by CREST, but the engagement process will vary from provider to provider.

There is no ‘one-size-fits-all’ approach, specifically because every business is different – different infrastructures, different challenges, different objectives. But a competent specialist should be able to talk you through different types of penetration test, various hacking strategies, what purpose they serve, as well as how they fit your overall objectives.

Something to watch out for!

There are pen testing companies using incorrect terminology, misrepresenting the actual service provided. Described as a “penetration test”, but actually a customer receives a vulnerability scan – an automated tool which scans your IT infrastructure for ‘known’ technical vulnerabilities.

» What’s the difference between a vulnerability scan and a pen test?

Finally, it’s worth asking a bit about the supplier and pen tester’s experience. Who’s your point of contact? Can you find out the relevant experience of your designated pen tester? Are they a good fit for your organisation. Will you be dealing directly with the pen tester, via a client account manager, or both?

Even if you have a detailed understanding of pen testing, you should still expect information to be communicated in plain English – rather than tech talk.

3. What do your pen test reports look like?

Be sure to ask for a sample pen test report, and as you review them, consider what you want from a final report. Who will be consuming it? What’s their level of IT literacy? Look for clear and actionable advice for each identified vulnerability.

Common Vulnerability Scoring System (CVSS)

Importantly, there should be a risk-based scoring for each identified vulnerability, using a standardised scoring system – usually the Common Vulnerability Scoring System (CVSS) – an open-source industry standard for assessing the severity of security vulnerabilities.

CVSS assigns a severity score to vulnerabilities, so you can prioritise responses (and resources) according to the threat.

You will naturally also want to see that a report is delivered in a clear, easy-to-read format, suitable for both IT and (non-technical) senior management.

A pen test report should include:

  • Summary: Overview of key threats and business risks, in a high-level format suitable for non-technical Directors.
  • Technical: Outlines the steps taken by the pen testers to breach the network/defences.
  • Risk scoring: A vulnerability scoring system to rate issues discovered, based on severity.
  • Next actions: Recommendations and guidance on the steps necessary to remediate discovered issues.

4. What is your own internal security like?

The penetration test is highly likely to uncover critical security vulnerabilities within your organisation’s environment, and the accompanying report will document, step-by-step, how they are exploited. Ask for details on how this confidential data will remain secure, and any steps taken to ensure its safekeeping. Consider how you want the report to be delivered, and what the company recommends.

Secure storage of highly sensitive data

It is a requirement of a CREST-certified pen testing provider to adhere to strict security controls, concerning the communication of sensitive information – how it is stored (encrypted) and how it is delivered to the client (in person, in hard copy format).

A detailed Statement of Work (SOW) for the actual penetration test to be performed must document all of these details – so ask to see their documentation!

5. Do you offer remediation?

Suppliers will fall somewhere on a spectrum between offering broad advice, experts assistance with any corrective action required, or right up to full remediation services. Whilst some providers feel this may be a conflict of interest, many will offer at least some level of assistance with remediation. Obviously, it might be seen as self-correcting, but on the other hand, continuity and of a trusted relationship, as well as a full service, is valued by many customers.

6. Can I talk to a previous customer?

Ask for references. A successful, reputable company will be able to provide you with numerous satisfied customers to vouch for their services – even if they are naturally unable to divulge the type of work they were carrying out. You’ll get a good idea of the customer experience and be better-informed when making your decision.

You should also want to ask about the individual profile, experience and qualifications of the penetration tester that will be assigned to your project.

Further reading

Comtact's UK Security Operation Centre (SOC)

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.