There are a variety of reasons your company might look to hire a penetration tester. For many companies, their first foray into penetration testing comes at the request of a potential business partner. In order to close a big deal, that partner requests that you hire a penetration tester to verify the security of your team’s software. As a part of the contract, you’ll categorize the vulnerabilities they uncover, and fix any major issues. Other companies jump into penetration testing as part of their process for upleveling their security. Maybe your company is looking to secure a big investment, take on larger customers, or are on the verge of acquisition.
Whatever the reason, choosing someone to perform that penetration test is normally uncharted territory. Usually, you need to find someone on a tight time scale. You don’t want to torpedo the deal. However, you don’t want to find someone who’ll do a poor job, and you don’t want to pay more than the hired person’s skills are worth. A penetration test is an opportunity for your business to improve your security posture. Many businesses make a mistake by paying for a real penetration test, then promptly ignoring all the results.
So how do you choose the right pentester, quickly, and on a rate that meets your budget? In this article, we’ll walk through a few tips that can help you find the right person.
Use your professional network
This advice seems blindingly obvious, which is why it’s first on the list. It’s also advice that business leaders forget. Many business leaders will delegate the search for a penetration tester. Delegating a task like this can take some work off your plate, but it’s unlikely that your reports have the same professional contacts you do. While you probably don’t want to head up evaluation of potential testers yourself, tapping your professional network for recommendations is a great idea.
Using your network to identify a tester is more than just asking about who’s good. Instead, you can use your network to get a bead on the skills of the person you’d potentially be hiring. For instance: the most critical skill for a penetration tester is the ability to clearly communicate. At the end of a contract, your penetration tester will produce a report. That report will outline vulnerabilities that the tester found, how they found them, and their relative severity. A key facet of this report is that it’s designed to be understood both by technical staff as well as the business’s leadership. This means you need to find someone who’s an excellent communicator.
Beyond understanding basic skills and communication styles, another thing your professional network can clue you in on is a tester’s working methodology. Like professionals of all stripes, penetration testers have their own styles of working. Some tend to keep to themselves, while others plug directly into the teams they’re working with. Some quietly note every vulnerability, and that’s all they’ll tell you. Others will sit down with your technical staff and explain where a vulnerability comes from and how to avoid it in the future.
By talking with people in your professional network, you can ensure the tester you hire meets your team’s needs.
Check their certifications
In most of the tech world, certifications are barely worth the paper they’re printed on. That’s not true in the world of penetration testing. There are a handful of penetration testing certifications which carry a great deal of weight. If your pentester has one (or possibly more) of these certifications, you can rest assured that they’ve met a minimum level of skill. The best security certifications also come with an ethical component, certifying that the tester won’t utilize the knowledge they gained about your system to compromise it later. You don’t want to hire a penetration tester to find vulnerabilities in your system, only for them to turn around and steal your customer data.
In the world of penetration testing, certain certifications tend to stand up above the rest, depending on where you’re located and searching. A couple great ones to keep an eye out for include:
- The Offensive Security Certified Professional certification
- The GIAC Penetration Tester certification
Any tester with one of these verified certifications is likely to serve your business well. If you’re choosing between two potential testers, the one with one of these certifications will always be the safer choice for your business.
Make sure they have experience
Penetration testing is a tough field to break into. As a rule, you don’t want to hire someone who’s just getting their start. Your business is paying good money to hire someone to find vulnerabilities in your software. They need to actually do that. Unfortunately, it can be hard to know if your tester is highly skilled. That goes double if they don’t have any good certifications. Sure, they might have participated in a dozen penetration tests, but unless you have good verification from someone you trust, you don’t know how well they did. It’s also entirely likely that all their previous work will be covered under a non-disclosure agreement (side note: make sure to have an NDA with whichever pentesters you do choose as well).
Thankfully, there are a number of high-quality analogs to penetration tests that are usually public. Many larger companies (like Google) will run bug bounty programs where they pay security researchers for finding bugs in their software. This isn’t a true penetration test, but it’s pretty close. Finding a penetration tester who’s gone through the vulnerability bounty program with one or more companies is likely to be a good hire. Knowing how to identify and describe bugs means that they possess many of the required skills necessary to be a good penetration tester. Bug bounties also serve as a good test of someone’s ethics. A tester who finds a vulnerability and discloses it responsibly to the company responsible is likely to be someone you can trust.
An even better test of ethics are public vulnerability disclosure databases. These are places where security researchers publicly disclose vulnerabilities in software for no compensation at all. It could be that your software might have shown up in a database like this. Finding publicly disclosed vulnerabilities isn’t fun, but it’s better than finding out about them because someone exploited them.
Finding and choosing the right pentester doesn’t have to be stressful
Like we noted at the top of the post, there are many different reasons that a company will set out to find a good penetration tester. Some drivers for choosing a pentester can be stressful. It can feel like the success of the business is riding on who you hire. However, keep in mind that this hire is an opportunity to make your software better. You want your pentester to find the holes in your security and give you a clear picture of where you can improve. That’s an opportunity that’s too valuable to pass up.
All of this probably feels like a recipe for pulling your hair out. This is why many business leaders delegate the search for a penetration tester. And you may yet decide to do that. But if you follow the recommendations laid out here, you’ll probably find the job easier than you expect. By working with your professional network and trusting valuable certifications, you’ll quickly narrow your list down. From there, you can speak with individual candidates and find someone who’s going to do great work for your business. For more best practices on choosing and running a pentest, check out the Pentest Best Practices Checklist.
This post was written by Eric Boersma. Eric is a software developer and development manager who’s done everything from IT security in pharmaceuticals to writing intelligence software for the US government to building international development teams for non-profits. He loves to talk about the things he’s learned along the way, and he enjoys listening to and learning from others as well.