When it comes to selecting a penetration testing provider, there are numerous questions you can ask. How much experience do they have? What certifications should the penetration tester hold? Will they help me fix the identified vulnerabilities in my systems and if so, how? In this blog post, we will explore 20 key questions to ask your penetration tester, from questions about the provider and its penetration testers to questions about the penetration testing process and results.
About the provider
1. Is penetration testing part of your core business?
Knowing if your penetration tester is a company specializing in penetration testing or if penetration testing is just a side service can give you some insight into how seriously they take their work. A company that specializes in penetration testing is likely to have more experienced staff and better processes in place.
2. Do you hold a professional liability insurance?
A liability insurance protects you in case the penetration testers make any mistakes during the assessment that cause damage to your systems. Although a good penetration testing provider very rarely makes mistakes causing damage to a client’s system, a provider holding such an insurance shows that they care about their clients and are willing to take responsibility for any damages caused.
3. Can I reach out to a former client?
Having the possibility to speak to former clients can give you some valuable insights. You can find out if these clients benefited from testing services that were meeting their expectations and if they would recommend the given provider. A penetration testing provider allowing you to reach out to former clients is most likely to deliver quality service.
4. Do you hold any organizational certifications, such as ISO 9001?
Organizational certifications such as ISO certifications can give you some insights into the company’s quality management system. The penetration testing provider holding the ISO 9001 certification is likely to have well-defined processes and procedures in place to consistently provide products and services that meet customer and regulatory requirements.
5. How many pentesting projects do you conduct annually?
A hesitant answer to this question might indicate that the company is not very experienced. Given the size of the company, a ballpark figure of 200 projects per year would be considered normal. But, to be meaningful in terms of the quality delivered, the number of annual projects should always be considered along with other factors, such as organizational certifications and reputation.
6. Do you make a distinction between network and application testing?
Application security has become vital for organizations, as millions of users now rely on them to manage their most sensitive information. This makes application penetration testing more specialized and far more detailed, targeted, and complex than network penetration testing. The development of top resources for improving application security speaks volume of how it has become a critical concern for organizations. If the penetration testing company does not make this distinction, they might not be able to provide quality services.
7. Which measures are used to protect your client’s information?
A professional, reputable penetration testing company should have strict confidentiality and data protection measures in place, namely through a non-disclosure agreement (NDA) process. NDA documents ensure that confidential client information will be protected and not shared with any third party.
About the team
8. Which team members would be assigned to this project?
You should be informed of the team of penetration testers assigned to your project, their years of experience, certifications, and skills. This way, you can be sure that your project is in good hands and that the team has the necessary expertise to conduct a successful penetration testing engagement.
9. Are your projects subcontracted? If not, what are your hiring practices?
If the company subcontracts their projects, they might not have full control over the final quality of the services delivered. And subcontracted or outsourced penetration testing projects are known to deliver lower quality results. Make sure to also ask about the company’s hiring practices, meaning the processes and criteria used to select new penetration testers. A provider with a structured hiring process is most likely to find and retain the right talent and deliver consistent quality.
10. Which certifications do your specialists hold?
With all the information security and penetration testing certifications available out there, it can be hard to know which ones really matter. Among the top 8 penetration testing certifications your provider should hold are the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) and the Offensive Security Certified Professional (OSCP).
11. Do you have experience in my industry?
A provider serving clients of all sizes across all industries is very telling of its experience and expertise. However, if you want a penetration testing provider with deep knowledge of your industry and its compliance landscape, make sure to ask about their experience in your specific industry in terms of projects delivered, testimonials, and industry insights.
About the process
12. Which penetration testing methodologies do you use?
A penetration testing provider applying the top penetration testing methodologies and standards, including OSSTMM, OWASP, NIST, CVE, CVSS, and CAPEC, will likely deliver more comprehensive and valuable results for your project.
The same can be said for a provider assessing technical vulnerability security risks based on the Common Vulnerability Scoring System (CVSS), published by the Forum of Incident Response and Security Team (FIRST), which is the de facto standard for scoring IT vulnerabilities.
13. Which percentage of the test is automated vs. manual?
The penetration testing vs. vulnerability scanning ratio a given provider uses is very telling of the quality of the services it delivers. The penetration testing provider should also be able to tell you which part of the test is automated and which is manual. If the majority of the test is automated, it might not be very thorough and deliver the expected results. A testing approach mainly focused on manual tests typically delivers better results, as it covers more of the actual attack surface real-world attackers can readily exploit.
14. How will you protect my testing results during and after the tests?
A provider having strict confidentiality and data protection measures in place, namely through non-disclosure agreements (NDA) and penetration testing policies and best practices, is more likely to adequately protect the confidentiality of your testing results. A provider should always be able to tell you what measures, best practices, and policies are in place to protect your information.
15. How will you ensure the availability of my systems or services during the tests?
The penetration testing provider should have a plan in place to ensure the availability of your systems or services during the tests. This way, you can be sure that the tests will not cause any disruptions. A provider stating its predefined limitations for minimizing the impact of testing on your systems, namely by avoiding any Denial-of-Service attacks (DoS & DDoS), is most likely to ensure that your systems remain fully operational and available during testing.
About the results
16. What is covered by your report?
A good, reputable provider typically delivers a comprensive report that should include the following:
- Executive summary: The executive summary should provide all stakeholders, including those who are not technically proficient, a description of the identified risks and their potential impact (financial and otherwise).
- Technical details of the vulnerabilities: Vulnerabilities should be broken down by category (injection, web applications, etc.) and by level of priority based on the CVSS scoring system (critical, high, moderate, low).
- Potential impact and risk level of each vulnerability: This part should describe both the likelihood of the several risks your business is facing and the potential impact of each vulnerability on your systems.
- Solutions to fix the vulnerabilities: This part should include sufficient detail for your IT team to remediate each of the identified vulnerabilities quickly and efficiently.
- Methodologies used: Manual testing generally entails methodologies such as data collection, vulnerability assessment, actual exploit, and presentation of the report; Automated testing can be done using several renowned standards among which are the OWASP, OSSTMM, and the NIST.
17. Do you have any sample reports available?
The penetration testing company should be able to provide you with some sample reports, namely for penetration tests conducted in your industry. This sample, along with the list of items you should find in a report, will give you a good idea of what to expect from the provider’s report.
18. How do you ensure the consistency of your deliverables?
Certifications such as ISO 9001, demonstrating an organization’s ability to consistently provide products and services meeting customer and regulatory requirements, will help you determine how the provider can ensure consistent quality deliverables, project after project.
19. Will you help me fix my vulnerabilities? How?
Your penetration testing provider should not only present their findings and actionable recommendations with external references, but also provide some post-testing support to help your team fix the identified vulnerabilities.
20. Are re-tests of identified vulnerabilities included?
Your provider’s penetration test should include the re-testing of any critical/high-severity vulnerabilities, thus allowing to validate your team’s remediation effort.
Final words
There are many other questions you could ask penetration testing providers during the selection process. The 20 questions listed in this blog post should give you a good starting point when conducting your due diligence on potential providers. But, if there’s one question above all you should be asking your penetration testing provider, it’s whether the provider can understand your organization’s specific business needs. Penetration testing providers with a good understanding of your industry are more likely to help improve your cybersecurity posture.
Contact us if you need help with your penetration testing project.
