The most important criteria in choosing a Penetration Tester is not technical skill. It is not competence. It is not even ability to communicate findings. It is, quite simply, trustworthiness.
Remember, a penetration test is done to assess the security of an implementation. For example, when a new web site is rolled out, a penetration test is often done to check that the site’s firewall is set up correctly, that the web server is properly locked down, and that default passwords have been changed.
When allowing a pen test to be done, you are letting someone, or even a team, look through your computers and networks. That team is looking for ways to violate controls and gain access to sensitive information. You have brought them in to find holes before the bad guys do. And, it needs to be done discretely.
What you don’t want is that the testers end up disclosing those issues found to others either insider or outside your company. Methods of disclosure include, but are not limited too, emails, presentations at conferences or even blog postings. Think that this isn’t a problem? Consider that within the past six months, I was told of a story where a pen test outfit was fired from a company for reporting pen test findings in a blog posting. (As I like to say, not cool.)
How can you lessen your risk? Use the following criteria when selecting personnel for penetration testing assignment.
- 1 Trustworthiness – Can the person or team selected be trusted with the sensitive information that they might uncover? The number one indicator of trustworthiness is usually experience. It is hard to be in the pen test business for long if you can’t be trusted. NOTE: In my opinion, certifications do not address trustworthiness. They address technical skill.
- 2 Discipline – Will the pen tester stay within the lines drawn for the assignment?
- 3 Competence – Does the pen tester have the ability to correctly use his/her technical skill in order to find vulnerabilities? My experience has been that competent pen testers can find more with nmap than less competent ones.
- 4 Technical skill – Does the pen tester understand the technology that they are testing? (You would think that this would be number one, right?)
- 5 Communication – Can the pen tester relate the findings into meaningful issues?
- 6 Business logic – Can the pen tester turn the issues into mitigation and/or remediation strategies?
Use a scorecard when looking for a pen tester where you assess the above qualities, in the order listed above. This will help you get the best results for your penetration testing.