8 steps: How to choose the right pentest service provider?

Hello, Hive & Apiary users!

We've collected a few essential steps on choosing your future pentest service provider. It fits everyone who decides to implement pentest into their development cycle.

Here are 8 things you should look at.

1. Expertise

Make sure that the pentesting contractor you choose is experienced in testing companies of your industry or at the very least of related industries.

All information about this should be specified on the pentesting company’s website along with acknowledgment letters from their clients.

Questions you can ask

• What proven pentesting experience does the company have?
• Has the company ever tested organizations operating in the X sphere of the industry?

2. Proficiency confirmation

The experience of employees conducting penetration testing must be relevant to your needs.

It is worth paying attention to training certificates, such as CiSP, CEH, OSCP, any activity at relevant conferences (Black Hat, DEF CON, RSA Conference, etc.), and publications in reputable media resources.

Sadly, there's no way to prove pentesters’ proficiency but you still can ask them questions.

Questions you can ask

• Do your experts have verified CVE's?
• Do your experts have any commendations for discovered vulnerabilities?
• Have your experts delivered their talks at specialized conferences (Black Hat, Defcon, RSA Conference)?
• Do your specialists have certificates confirming their proficiency?
• Is it possible to choose an expert to conduct pentesting?

3. Methodology

You have to choose a service depending on the results you expect. Plus, you have to find out the pentesting methodology the provider uses. It would be great to discuss how it fits your company’s features and meets your requirements.

The best coverage of a tested system can be ensured by conducting both manual and automated testing. If a company only offers automated testing, you should consider their competence and relevance for the project.

There are several types of pentesting, and the customers are often free to choose the one that suits them best.

Pentests can be split into categories

• white-box testing — pentesting experts know as much as possible about the company and its infrastructure, they can cooperate with technical and security specialists
• grey-box testing — experts know only some information and can ask for clarifications
• black-box testing — the most labor-intensive method from the point of view of pentesting experts; they know almost nothing about the company they are working for, except for maybe its name

Questions you can ask

• Is it possible to make a project plan in advance to understand how the work will go and what the final cost of the service will be made up of?
• What pentesting methodology will be used?
• What internal data should be provided?
• Can you change the course of penetration testing in the process?
• Is it possible to pentest at night hours and on weekends, so as not to interfere with the services?
• How will the communication between the customer and the pentest provider be held?

4. Reports

You can request a sample report. Based on the sample, you can adjust the expected result before the penetration testing has begun.

A good pentest report should include

1. Discovered security issues
2. Exploitation scenarios that can be used by adversaries
3. Adversary models
4. Recommendations on how to eliminate the discovered security issues

Questions you can ask

• What will the report contain?
• In what format is the report provided?
• Will it be possible to edit the finished report? If so, for how long?
• Will the report describe the steps and scripts to reproduce the vulnerabilities?
• Will the report describe unsuccessful attack vector implementations?
• Is there an option to change the template of a future report?
• Will intermediate results be provided? (This is relevant for long pentests.)
• Is it be possible to get information about critical vulnerabilities before pentesting is completed?

5. Data confidentiality

Your future pentest service provider must keep all of your data confidential, which must be specified in agreements and contracts: how the data will be stored and used and after how long it will be destroyed. Cases where the contractor uses a subcontractor’s services in your pentesting project must also be spelled out.

Questions you can ask

• What country do pentesters work from?
• Does the company’s data leave the territory of the customer’s country during pentesting?
• How long will your data be stored?
• How will the report be sent to you?

6. Costs

You can find prices ranging from $4,000 to $100,000 for the entire project, and the average price will be at $10,000-$30,000.

Low prices like $1000 per pentest should make you worry. Most likely, you will get neatly presented results from automated scanning tools. But pentesting prices can also be grossly over the top compared to their quality.

Also, sometimes the cost of a pentest depends on the price of a man-hour.

Questions you can ask

• What do they charge for a pentest?
• What services will be included in the final cost?
• Will the cost of the service be directly related to the amount of time spent?
• Does the cost of the service depend on the proficiency of the specialists?
• How much of the total testing time will it take to write the report?

7. Retesting

Discuss the possibility of retesting after you have fixed the security issues the contractor identified. Some contractors initially offer to help you fix bugs, which makes it easier for you: not all companies have enough resources for this.

Questions you can ask

• Does the service include fixing the discovered security issues?
• After fixing the discovered security issues, how much will a retest cost?

8. Security

Security testing can damage a tested infrastructure. This should be considered in advance to avoid misunderstandings and other issues.

Questions you can ask

• Will the contract specify the permissible scope of actions of pentesters?
• What if the pentesters go beyond permissions? How will it be resolved?
• What if the pentesters' actions cause damage to the system?

Final Thoughts

The points in this guide can differ depending on your company's needs and financial capabilities. There are enough pentesting services providers to choose from. They will help you achieve a desired level of security.

If you want to manage penetration testing by yourself effectively and fix vulnerabilities faster, take a look at the Hexway platform.