Top 7 Quality Criteria for a Pentest Partner

13. December 2019

In the era of digitalization, the question of whether systems and applications are effectively protected from attackers is business critical for many companies. The right choice of analysis methods is just as relevant as is choosing a competent partner. In this series, we present you the seven most important criteria you should consider when choosing a suitable partner for pentests, which is one of the most effective security analysis methods.

1. Highly qualified pentest professionals

A pentest is a simulated hacker attack in which the security analyst, or pentester in short, tries to penetrate a company’s systems using a targeted, individual and creative approach. The pentester should have undergone excellent training, have extensive experience with the relevant technologies and the different industries as well as certifications according to internationally recognized standards. This includes the certification of Offensive Security (e.g. Offensive Security Certified Professional (OSCP)) or SANS (e.g. GPEN, GXPN, GWAPT). This is the only way to obtain high-quality results.

2. Team size

When executing critical pentests, a reliable supply capability from your partner is essential. In addition, quality and efficiency also result from the reproducibility of the tests and the exchange of knowledge among experts. Therefore, when selecting your pentest partner, make sure that they have a team that is large enough to meet these requirements.

3. Knowledge transfer

The pentest provider should support continuous training. This includes external training and participation in national and international conferences. This ensures that the pentester’s skills and know-how are always up to date. Optimally, the gained knowledge is shared within the team and the security community.

4. Structured onboarding process, training and specialization

Consistent quality requires structured and efficient training in the various analysis methods, internal processes and tools. Furthermore, continuous training and specialization in one of the areas of IT security is crucial. This allows the combination of different subdisciplines of IT security.

5. Efficient use of professional tools

The use of professional tools and continuous quality assurance is essential. Hence, standard tests can be carried out automatically and pentesters have more time to conduct complex manual analyses. This leads to efficient analyses and comprehensive results.

6. Optimum support for larger IT environments

Especially when analyzing larger IT environments, it can be very helpful if the pentest provider supports you in the preparation and execution of the pentests as well as in the remediation of the found vulnerabilities. Ideally, your asset, process and vulnerability management can be mapped securely and efficiently via an online platform.

7. Pentest report

Following the pentest, you should receive a comprehensive report containing a management summary and a technical report. The report should include the criticality level of each identified vulnerability and its risk of occurrence as well as recommendations for corrective actions. Ideally, your pentest partner considers your individual needs when creating the report.

Do you need assistance with pentests? The usd HeroLab is the technology and research center of usd AG. About 80 excellently trained security analysts from usd HeroLab check various network components (e.g. firewalls), all types of servers or desktops (e.g. database servers) and web applications or web services on a daily basis.

Contact us, we will be happy to advise you on your options.

Also interesting:

The Countdown is on: One Year until PCI DSS v4.0 Becomes Mandatory

The Countdown is on: One Year until PCI DSS v4.0 Becomes Mandatory

On March 31, 2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of PCI DSS - the most comprehensive update of the security standard for credit card data ever. Things are now getting serious for companies requiring certification: as of March 31,...

Security Advisories for NCP Secure Enterprise Client

Security Advisories for NCP Secure Enterprise Client

The usd HeroLabs analysts examined the VPN application NCP Secure Enterprise Client during their security analyses. Several high vulnerabilities and one critical vulnerability were identified. Among others, these allowed an attacker to gain unauthorized read access to...