The Ultimate Guide to Choosing a Penetration Testing Company

Choosing the right penetration testing company can be a difficult process, especially when you are trying to find one that meets your specific needs. When deciding on a penetration testing company, it is important to consider certifications and compliance. This guide will give you all of the information you need to make an informed decision about which penetration testing company is best for you.

Penetration Testing For Compliance

Penetration testing companies have to be PCI-compliant, HIPAA compliant, FISMA certified, or NIST 800-53 tested. A Pentest can be conducted internally by an organization's IT department. However, these standards require a third-party penetration testing company with experience in the field.

PCI-DSS

Source: Cobalt.io

PCI requires penetration testing services to be compliant with the Payment Card Industry Data Security Standard (PCI DSS), which covers 12 specific technical and operational requirements. These include penetration testing of all public-facing web applications, penetration testing of internal networks and wireless LANs, penetration tests that check for default and well-known passwords and security vulnerabilities (e.g., SQL injection attacks).

GDPR

The European Union's General Data Protection Regulation (GDPR) is a major overhaul of the data protection laws within Europe. GDPR requirements for penetration tests include ensuring penetration testing services are aware of what personal data needs to be protected with strict confidentiality measures. Also, it has to maintain records that provide evidence that appropriate security measures have been taken.

ISO 27001

The ISO 27001 standard specifies the required elements of an Information Security Management System. A penetration test is one requirement for organizations seeking to comply with this standard.  ISO 27001 penetration testing requires testers to identify and report vulnerabilities, provide recommendations for fixes, and recommend procedures that will help maintain security.

HIPAA

Penetration testers conducting HIPAA compliance audits need to meet all of the HIPAA Rules as a covered entity, or business associate working on behalf of another covered entity or group practice. This means ensuring physical safeguards such as access controls are in place so only authorized personnel can enter data areas; software is installed properly; systems administrator privileges are controlled, and penetration tests are conducted by penetration testing companies that follow the HIPAA Rules.

NIST 800-53

The National Institute of Standards and Technology (NIST) is part of the U.S Department of Commerce. One publication of NIST is NIST SP 800-53 Revision four, titled “Security and Privacy Controls for Federal Information Systems”. This penetration testing standard requires penetration testers to develop and report on security control(s) for information systems and control enhancements.

Choosing A Penetration Testing Company

Now let’s look at some of the factors that determine which penetration testing company you should choose:

1) Cost

Penetration testers can charge by the hour and can range anywhere from $50-$200 an hour depending on experience. Penetration testing companies might also charge a flat penetration test fee. This can range anywhere from $500 to $15,000 depending on the size and complexity of the system. However, you need to make sure penetration testers are experienced enough for your company's needs. It might cost more in the long run if they miss something important during a penetration test.

2) Reference and Experience

You also want a penetration testing company that will provide you references upon request. This is because penetration testers are supposed to do their own research when carrying out penetration tests. So, penetration testing companies should have no problem providing you with references, especially if they are reputable.

You also want to look for an experienced penetration testing company. Penetration testers with over two years of security penetration testing experience can better handle penetration tests, in addition to being more familiar with penetration test standards such as PCI-DSS.

3) Communication

Penetration testing companies also need to have the ability to communicate well with you. This is because penetration tests can be lengthy and complicated depending on your company's infrastructure. So, they should have no problem understandably explaining their findings.

4) Reporting

Penetration testers need to provide a penetration test report and recommendations. These reports should not only include the findings, but also suggestions on how you can fix them or make your company more secure in future penetration tests. It should include the penetration test objective, as well as a list of all vulnerabilities found during the penetration test with the details on what the penetration tester did to find it.

5) Penetration Test Recommendations

A penetration testing company should provide you with recommendations for how to fix the penetration test findings. This way, you can avoid making similar mistakes in future penetration tests or make your company more secure overall.

Conclusion

Choosing the right company to do your penetration testing can be difficult, but this article has given you some things to consider. Consider what standards and compliances are important for your business before making a decision. The next time you’re looking for a penetration testing company, ask yourself these questions to make sure they will be able to help your organization.