5 Critical Things to Consider When Choosing Your Penetration Tester

by Sarah Harvey / July 3rd, 2019

Have you been asked by a client to undergo penetration testing? Do you want to ensure the security of your critical systems? Getting the most out of your investment in penetration testing means that you must perform your due diligence and make sure that the penetration tester you’ve hired can deliver quality, thorough penetration testing services. How can you do that? By taking the following five things into consideration when choosing your penetration tester.

1. Should You Use an Outsourced Penetration Tester?

We understand that finding a penetration tester might be daunting. During your initial stages of searching for a penetration tester, you might question if it’s okay to hire a firm that outsources penetration testing. After all, they just hack from remote locations, right? Wrong. At KirkpatrickPrice, we believe that if you want to get the most out of your investment in penetration testing, you should never partner with a firm that outsources penetration testing engagements. We’ll give you three reasons why:

Other countries have different internet laws and protections. Even though a pen tester might be working from a secure network or a US VPN, it’s not always guaranteed. This introduces many unnecessary risks into an organization’s environment – risks that wouldn’t appear if your penetration tests aren’t outsourced.
There’s no oversite. Would you be willing to give just anyone access to your most valuable data? When organizations outsource their penetration testing services, there’s no way to guarantee that the penetration tester won’t cause harm while testing or that they will keep the results of the penetration test confidential.
The personal relationship between the client and an outsourced pen tester is virtually non-existent. When you hire a pen tester located within the US, you won’t have to deal with major time zone differences, and you should be able to meet in-person if needed.

2. What Certifications Should a Penetration Tester Have?

In order to receive quality, thorough penetration testing services, your pen tester – at a minimum – should have several certifications. At KirkpatrickPrice, we believe that penetration testers with Offensive Security Certified Professional (OSCP), GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT) certifications have a standard baseline education that is necessary to deliver quality, thorough penetration testing services. What do those certifications mean?

GPEN: The GPEN is an 82-115 question exam that covers “penetration testing methodologies, the legal issues surrounding penetration testing and how to properly conduct a penetration test as well as best practice technical and non-technical techniques specific to conduct a penetration test.”
GWAPT: The GWAPT is a 75-question exam covering web application exploits and penetration testing methodologies.
OSCP: Unlike the GPEN and GWAPT certifications, OSCP isn’t a proctored exam. Instead, it’s a real world, 24-hour exam in which the student performs a penetration test and has to submit an in-depth report on their findings.

3. What Kind of Experience Should a Quality Penetration Tester Have?

While a penetration tester should absolutely have certifications, they also need to have ample experience to deliver quality penetration testing services. Typically, we suggest that a quality penetration tester will have three- to five-years of experience in ethical hacking and consulting. Why? Because it’s not enough for your pen tester to just perform the penetration test. Instead, a quality penetration tester should be able to perform thorough penetration testing services and provide consulting on how you can remediate any vulnerabilities found during the assessment.

4. What Kind of Skills Should a Quality Penetration Tester Have?

Penetration testers should have strong technical skills when it comes to ethical hacking, but soft skills are nearly just as important. Pen testers should be able to run more than just automated tools. For example, your penetration tester should…

Be able to adapt quickly to changing environments, because the cyber space is always changing.
Be able to work independently or as a team. While ethical hacking is often viewed as a solo job, if a penetration tester can’t work with your information security team, how will you be able to understand the findings?
Have time management skills. If they can’t manage their time effectively, how will they help keep your engagement on schedule?
Have the ability to think like an attacker.
Have knowledge of common programmer shortcuts that can be exploited.
Have experience in writing scripts and exploits to test unique vulnerabilities.
Be dedicated to the craft of ethical hacking.
Be immersed in the ethical hacking community.

5. Is the Penetration Tester Affiliated with Expert Information Security Specialists?

At KirkpatrickPrice, we know that there are many options for penetration testers. There are various companies that solely focus on ethical hacking, there are freelance penetration testers, and then there’s us: a CPA firm that delivers both quality, thorough penetration testing services and quality, thorough information security audits. Because we provide both services, we can help you get even more out of your investment in penetration testing. Not sure what legal regulations or frameworks require you to undergo penetration testing? We have Information Security Specialists who can help. Unsure of how your pen test findings will impact your compliance efforts? Your KirkpatrickPrice penetration tester can pull in one of our Information Security Specialists for consulting and remediation guidance.

Selecting a penetration tester for your organization is a decision that carries more weight than it might initially appear. Make sure you get the most out of your investment in penetration testing by partnering with KirkpatrickPrice and our expert penetration testers. Contact us today and let’s get started!