How To Choose Your Penetration Tester?
- 09 Feb 2021
- Business Security, Tech Due Diligence, Web Applications
All businesses who handle or deal with any confidential information must follow these requirements to minimise the chance of falling victim of a data breach.
Around the UK there are hundreds of companies who offer penetration testing. For businesses who are looking for penetration testing for the first time it will seem difficult for you. With an ever growing list of pen testers online, it doesn't make the choice any easier.
But what should you look out for when choosing the right one for you, that will deliver a high quality service? The most important attributes fall into 3 categories.
Experience, certifications and price.
A big factor is a pen testers experience. Establishing if the pen tester has direct experience in the industry is important. This will indicate how well they execute the job, if they have worked up within the industry from a web developer to a penetration tester, this will show that they are aware of specific/common problems that can arise when building a web application. This will ensure they are actively looking for these problems and ensure to discover any issues.
They will also be aware of softwares used on web applications, which will make the service they deliver more effective assessment.
Ensuring a pen tester is fully qualified and trained in the service they provide is important. You should always look out for CREST Accredited pen testers and any other cyber security recognised qualifications. OWASP is a good accreditation to out for, this shows that pen testers are following a methodology that is industry standard approved.
Qualified pen testers assure you that they have the latest technology knowledge of hacking techniques and will carry out a thorough assessment without causing any website disruptions.
There is no fixed price when it comes to penetration testing due to the variety and complexity of IT systems. The price will depend on what you are working on and how much depth you need to go into. Due to this, pen testers often go with a day rate. Day rates will differ company to company as it all depends on experience, qualifications and reputation.
For a pen tester to quote you as accurately as possible they will most likely ask for a demo of your product. From this they will base their estimates on how many days they think they will need to spend on your product.
The less questions asked would indicate an inaccurate quote and most probably a poor service received.
Other things to consider:
Thorough reporting and feedback
To get the best value from your penetration test, it's good to know the level of support the pen tester provides post penetration test. When a test is completed the pen tester will provide you with a written report of details from the test including, vulnerabilities, any weaknesses and the severity of any issues found.
A good pen tester should be flexible. They should be able to offer on-site tests and out of hours if needed. They should always put your business needs first to ensure the best service is provided. Scoping and customising test times around the customers business requirements shows commitment to the job and trust.
This ensures a business is reputable and fully accountable. Check they have appropriate insurance in place should anything go wrong potentially
If you have any questions on penetration testing, please don’t hesitate to contact us.