Top 7 Quality Criteria for a Pentest Partner

13. December 2019

In the era of digitalization, the question of whether systems and applications are effectively protected from attackers is business critical for many companies. The right choice of analysis methods is just as relevant as is choosing a competent partner. In this series, we present you the seven most important criteria you should consider when choosing a suitable partner for pentests, which is one of the most effective security analysis methods.

1. Highly qualified pentest professionals

A pentest is a simulated hacker attack in which the security analyst, or pentester in short, tries to penetrate a company’s systems using a targeted, individual and creative approach. The pentester should have undergone excellent training, have extensive experience with the relevant technologies and the different industries as well as certifications according to internationally recognized standards. This includes the certification of Offensive Security (e.g. Offensive Security Certified Professional (OSCP)) or SANS (e.g. GPEN, GXPN, GWAPT). This is the only way to obtain high-quality results.

2. Team size

When executing critical pentests, a reliable supply capability from your partner is essential. In addition, quality and efficiency also result from the reproducibility of the tests and the exchange of knowledge among experts. Therefore, when selecting your pentest partner, make sure that they have a team that is large enough to meet these requirements.

3. Knowledge transfer

The pentest provider should support continuous training. This includes external training and participation in national and international conferences. This ensures that the pentester’s skills and know-how are always up to date. Optimally, the gained knowledge is shared within the team and the security community.

4. Structured onboarding process, training and specialization

Consistent quality requires structured and efficient training in the various analysis methods, internal processes and tools. Furthermore, continuous training and specialization in one of the areas of IT security is crucial. This allows the combination of different subdisciplines of IT security.

5. Efficient use of professional tools

The use of professional tools and continuous quality assurance is essential. Hence, standard tests can be carried out automatically and pentesters have more time to conduct complex manual analyses. This leads to efficient analyses and comprehensive results.

6. Optimum support for larger IT environments

Especially when analyzing larger IT environments, it can be very helpful if the pentest provider supports you in the preparation and execution of the pentests as well as in the remediation of the found vulnerabilities. Ideally, your asset, process and vulnerability management can be mapped securely and efficiently via an online platform.

7. Pentest report

Following the pentest, you should receive a comprehensive report containing a management summary and a technical report. The report should include the criticality level of each identified vulnerability and its risk of occurrence as well as recommendations for corrective actions. Ideally, your pentest partner considers your individual needs when creating the report.

Do you need assistance with pentests? The usd HeroLab is the technology and research center of usd AG. About 80 excellently trained security analysts from usd HeroLab check various network components (e.g. firewalls), all types of servers or desktops (e.g. database servers) and web applications or web services on a daily basis.

Contact us, we will be happy to advise you on your options.

Also interesting:

usd PCI Best Practice Workshop 2021

usd PCI Best Practice Workshop 2021

For many years, the usd PCI Best Practice Workshop has brought together responsible PCI personnel from companies of all sizes and from all industries to discuss current topics from the world of payment card industry together with PCI experts from usd. The interactive...

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for...