a. Can you provide evidence of a solid reputation, history and ethics (eg. a full trading history; good feedback from both clients and suppliers; a reliable financial record; and a strong history of performance)?

Two of the most important criteria for a buyer of penetration testing services to consider are the reputation (and history) of the supplier; and the ethical conduct they both adopt and enforce.

b. Do you take part in specialised industry events (such as those run by CREST or OWASP chapters)?

A reputable supplier will have achieved suitable professional accreditation (such as CREST), and be a member of current, relevant professional and industry bodies.

c. Are you able to demonstrate exploits or vulnerabilities you have found in other similar environments?

d. Can you provide independent feedback on the quality of work performed and conduct of staff involved?

They will also have processes in place for agreeing scope and obtaining permissions for the type of work to be conducted, where it will take place and what information and systems will be accessed.

e. Do you adhere to a formal code of conduct overseen by an independent industry body?

a. Can you show that you provide high quality services, including the methodologies, tools, techniques and sources of information you will use as part of the testing process?

Some suppliers will hit you with a volley of ‘vendor hype’ that can be difficult to penetrate. It can therefore be a real challenge to find the right quality of service at the right price.

b. How do you perform rigorous and effective penetration tests to ensure that a wide range of system attacks are simulated?

Suppliers should be able to produce insightful, practical and easy to read reports, engaging with senior management in business terms, resolving issues with IT service providers, and addressing global risk management issues.

A quality supplier will not only deliver a highly effective testing process, but can differentiate themselves by the quality of the customer services they provide, effectively providing a professional service wrapper around the test.

c. Can you describe your proven testing methodology that is tailored for particular types of environment (eg. infrastructure, web applications, mobile computing)?

d. Can you demonstrate your organisations’ penetration testing capabilities (eg. by make a presentation; showing examples of similar (sanitised) projects they have undertaken) and providing a sample report?

e. Do you have independently reviewed quality assurance processes that apply to each test being undertaken, to help make sure client requirements are being met in a secure, productive manner?

a. Do you have an active, continuous and relevant research and development capability?

b. Have you produced research papers, published vulnerabilities or won awards in the industry?

c. Do you perform sufficient research and development to be able to identify all significant vulnerabilities?

d. How do you carry out specially tailored, manual tests to help detect unknown vulnerabilities, rather than just using a standard set of tools?

One of the biggest selling points for some suppliers is the quality and depth of their technical research and development (R&D) capability.

Some suppliers will constantly develop specific methodologies to address different environments, such as infrastructure, web application, wireless, mobile etc.

A good technically competent supplier is likely to carry out about 70% manual testing (simulated hacking!), as opposed to 30% using automated tools.

a. What qualifications do your testing staff hold in the various areas in which tests may be required (such as web application testing)?

b. How do your testers identify ‘root cause’ findings, strategically analyse findings in business terms, help develop security improvement strategies and recommend countermeasures to both address vulnerabilities and prevent them recurring?

c. Can you specify: named individuals who will be responsible for managing and conducting the test, their experience of the environment within the scope, their qualifications and the exact role each individual will perform?

The penetration testers used by your supplier should have deep, technical capabilities in the specific areas that are relevant to your target environment (eg web application, infrastructure, mobile or vendor-specific).

CREST provides accreditation in different technical areas, such as CREST web application testers and CREST infrastructure testers. There are also specific examinations in areas such as wireless testing.

a. Do you apply independently validated security and risk management controls over the testing process, all relevant people involved, key aspects of target systems and any client data affected?

b. Can you provide written assurances that the security and risks associated with our critical systems and confidential information (together with any other business risks) will be adequately addressed – and compliance requirements met?

c. How do you ensure that results of tests are generated, reported, stored, communicated and destroyed in a manner that does not put the organisation at risk?

It is important that the supplier themself is secure – and has a positive approach to both security and risk. Your supplier should be able to provide assurances – preferably in writing – that the security and risks associated with your critical systems and confidential information (together with any other business risks) are being adequately addressed.

During any security assessment it is likely that the test team will encounter sensitive or business critical data. You will need to be comfortable that you can trust both the supplier – and every individual tester they provide.

a. Does your organisation hold strong professional accreditation?

b. Can you outline the problem reporting and escalation processes that you adopt should there be a problem with the testing?

c. Are you supported by a constructive, expert complaint process, with sufficient independence and authority to resolve issues?

Penetration testing organisations who have been professionally accredited will provide you with confidence that major vulnerabilities have been identified and properly addressed. They will also bring with them a wealth of experience drawn from client work across a range of companies and sectors, allowing lessons learnt from one to be transferred to others.

The CREST scheme requires organisations to demonstrate that they have appropriate procedures and controls in place to protect client information and systems.