Joseph Sheridan (pictured) is the Owner and Principle Consultant of ReactionIS, a CESG-approved CHECK penetration testing company. His qualifications include CHECK Team Leader, CREST Consultant (Web App and Infrastructure disciplines) and CISSP. Find out more here.
There are many penetration testing companies offering similar services but how can the prospective purchaser choose between them? This article aims to inform the reader about the factors that should be considered when selecting a pen test company or consultant.
Penetration testing is an art, not a science. It is not possible to try all the mathematically possible ways of interacting with a web application or computer system to test for security vulnerabilities. Therefore, it is imperative that the security consultant testing your systems can rely on years of experience to hone in on areas where vulnerabilities are likely to occur and also has the skill to exploit the flaw and demonstrate the true extent of the vulnerability.
The main qualifications for penetration testing within industry and government circles are the CHECK Team Leader, CREST Certified Web Application/Infrastructure Consultant and the Tigerscheme Senior Tester certifications. It is widely recognised that security consultants with one or more of these qualifications are at the top of their game. Without these qualifications within the testing team, testing quality can vary and easily exploitable security holes may be overlooked.
Ensure that the penetration testing company provides security consultants with adequate security clearance suitable for your industry. Testers who cannot achieve requisite clearance levels may not be trustworthy to handle your data which in many cases may contain sensitive information about security vulnerabilities in client systems.
CESG CHECK and CREST organisations both maintain lists of authorised penetration testing companies who have met demanding scheme entry requirements. Entry requirements include an assessment of staff capabilities, reporting quality, testing methodology, data handling and project management, amongst others.
Security research allows consultants to showcase their expertise in the field and ensures that consultants are one step ahead of the bad guys. Ensure that your pen testing company can demonstrate research experience.
Each industry sector has different objectives and goals when commissioning security testing. Ensure that the prospective penetration testing company understands the challenges of your industry/government sector and has previous experience of working in your sector.
Joseph Sheridan is a CHECK Team Leader, CREST Consultant (in both Web App and Infrastructure disciplines) and CISSP certified. He founded ReactionIS, one of the CESG-approved CHECK penetration testing companies and has multiple security clearances including HMG and NATO. Joseph has released important security advisories which now feature in the widely used Metasploit exploit framework - more about Joseph here. Please get in touch for more info.