Choosing the Right Penetration Testing Company

by Jeremy Powell

I recently spoke at the Austin ISACA meeting about how penetration testing is a necessary addition to an auditor's toolkit. In my talk, I covered what information assurance is and why we need it, how auditing and penetration testing both serve to build assurance about a company's infrastructure, and what the unique aspects of penetration testing are that cannot be replaced by auditing.

During my talk, I mentioned that an organization needs to have trust in the integrity of the penetration testing company and their technical competency in order for testing to be successful. However, when an audience member pressed me for how to identify such a company, I found it very difficult to come up with any other criteria other than: Is the company named 'atsec'?

So, to better serve my audience at ISACA that day, I've prepared a much less subjective list of requirements an organization can use to help determine which penetration testing company to contract with:

1. Is information security their core business?
   Some companies provide penetration testing services, or vulnerability scanning, as a secondary service to compliment a broader set of offerings outside the security realm. While this is probably good for a company to have sources of revenue from many different areas, it may not be best for their customers. If a company has a strong focus on security, it means that every decision that is made, from technical to management, keep security a centralized theme. With that kind of focus, you know you'll be working with people whose interest in security drive them to be world-class security experts.
2. Do they practice information security themselves?
   Your company is only as secure as the people you let in. Asking what security standards a company is compliant with will give you a good understanding about how seriously they take security—both yours and theirs. Besides, the best security advice comes from the companies who believe in their own advice enough to accept it themselves.
3. Is the company properly licensed and their staff qualified?
   Penetration testing companies need to obtain a Private Investigator's license before they can work for you, according to the law in Texas and several other states. This is necessary because when your networks are tested, your customer's third-party information is potentially exposed to the testing team. The government sees this as the same legal situation as performing private investigations.
   Also, you can ask to see any technical certifications or qualifications the company, or the individual testers, might hold.
4. How does the company interact with and contribute to the security community?
   It's one thing to be a master of your art, but those who contribute to furthering the art are the true leaders. Check to see if the company participates in local security organization chapter meetings and contributes to national and international security standards.
5. Does the company have a proven record of successful, on-time projects?
   Always ask for references. Some companies have even made agreements with their previous engagements to remove sensitive information from reports and use them as references. This will give you a great example of their level of detail and professionalism.
6. Is the company financially independent?
   Questioning the motives of a company is not a pretty thing to do, but sometimes it must be done if you have to determine if their advice is in your best interest (and not theirs). Financial dependence on third party vendors (or even competitors) may bring into question why they want you to install a particular brand of firewall or buy an expensive license to a third-party scanning tool.
7. Does the company have sufficient insurance and reasonable legal agreements?
   Penetration testing is risky, so controlling that risk is necessary for a penetration test to be successful. This means making sure that the company has sufficient insurance to cover any problems that may occur and doesn't burden you with unreasonable legal requirements.