There are a lot of companies selling penetration tests (pen tests), but how do you know if what you are getting is a real pen test? When it’s something that’s less tangible than, say, getting an oil change, it can be hard to determine if what you are purchasing is what you need.
That’s why MainNerve has written up a few pointers.
A Real Pen Test will be more expensive.
Software makes things a lot easier, which typically equates to lower cost. The problem with using only software is that it’s as good as the programming. The software usually can’t take into account things that a human brain can, like skirting business logic or researching default credentials.
Consequently, a real pen test is more expensive due to a pen tester’s experience. The more tests they conduct, the more information they have to work with when looking for vulnerabilities. The testers will have a better understanding of what may happen when vulnerabilities are actually exploited and not just scanned.
Don’t worry if a company says they use software to help them find vulnerabilities. Unethical hackers will use all the software they can to try to attack their target. A good pen test should reflect that real-world experience. It should be a mix of some automated searching and manual testing. It makes things a little easier and quicker, translating into the price.
Testers will have the necessary credentials.
The testers should also have certifications, such as CISSP or OSCP. Many certifications require continuing education to maintain them, showing that the tester is always learning since vulnerabilities are ever-evolving. An ethical pen test company should be proud to display its tester’s certifications.
A real pen test will take more than an hour to test.
Because of the manual nature of a real pen test, the testing time should take more than an hour. A good question to ask any vendor is, “how long will it take?” The company will probably offer an estimate, as it depends on how many vulnerabilities are found and what types of vulnerabilities are discovered.
The account managers should ask many questions during scoping.
Since a real pen test will involve more than a basic vulnerability scan, giving extra information to the account managers will help the testers conduct a more thorough test. Knowing things like IP addresses, the types of devices, and URLs and credentials for applications will make the test easier and quicker. The testers should be looking at everything they can to let you know if you have any open holes.
For a full red team exercise, where a tester has no knowledge other than who the target is, the time for research could be weeks, meaning you are paying for all that time. That will also translate into the cost, and likely not in a way you want unless you know that red teaming is what you need.
A real pen test company should be able to provide sample reports.
These sample reports will likely be redacted but should reflect the type of work the company does. They should be more than a list of Common Vulnerabilities and Exposures (CVE), also known as a vulnerability scan. The report should have screen captures to prove a vulnerability was discovered and remediation recommendations.
Many factors go into a real pen test and how you can determine if a company is providing that service. We here at MainNerve hope this helps you make that determination. We strive for transparency when and wherever we can.