Components of a Quality Penetration Test

by Sarah Harvey / July 12th, 2018

How do you ensure you’ve identified security vulnerabilities before a hacker has? In today’s threat landscape, it’s crucial for organizations to take cybersecurity seriously and create a prevention strategy. We know that organizations today face extremely threatening cybersecurity risks. We know you need validation of your security methods. We know you need someone to uncover the risks and security vulnerabilities that you don’t know about. That’s why we offer quality penetration testing. But what does that even mean?

We want to provide you with a few ways to identify whether or not you’re receiving quality penetration testing. This will help you build a strong security testing methodology, help you meet your compliance objectives, and protect your organization from malicious attacks.

How to Identify Quality Penetration Testing

  • Does KirkpatrickPrice outsource penetration testing services? No. When you partner with penetration testers from KirkpatrickPrice, you work with a dedicated, highly knowledgeable team located in the United States. Our penetration testers aren’t rushing through projects and clients, and they are available for project planning and educating your team.
  • Do we have a team of qualified, professional penetration testers? Yes. Quality penetration testing needs to be performed by a skilled professional or group of professionals who can analyze the results of security testing activities and use those results to inform future activities. Our team of highly skilled and certified penetration testers have diverse backgrounds, extensive experiences, and hold GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), GIAC Exploit Researchers and Advanced Penetration Tester (GXPN), and GIAC Certified Intrusion Analyst (GCIA) certifications, among others.
  • Will KirkpatrickPrice ever try to pass off a vulnerability scan as a penetration test? No. We’ve witnessed many testing firms that, either through ignorance or deceit, mislead their customers by identifying their vulnerability scanning services as penetration testing. Many of these firms deliver scan reports to their customers labeled as a penetration test report with little more than an edited title and their firms logo added to the document. Some will attempt to hide this approach by taking the vulnerability scan results and placing them into a custom reporting template without performing any additional testing that would support labeling the service as penetration testing. Despite numerous resources calling out this practice, it continues to be a common source of confusion for customers.
  • Do our penetration testers find security vulnerabilities that an internal penetration tester would not? Yes. There is a unique value to having an independent, third-party perform penetration testing services for your organization because the internal blinders have been removed. Personnel often can’t or don’t want to see the security vulnerabilities that an experienced auditor does. With today’s cybersecurity risks, you can’t be too careful when it comes to security vulnerabilities. Ask yourself: what could a certified, professional penetration tester find that we wouldn’t?
  • Have our penetration testers found security vulnerabilities that previous penetration testers did not? Yes. In one testing situation, we found thousands of accounts that were being maliciously used in a payment portal. Did the previous penetration tester find this? No – this security vulnerability was completely missed.
  • Are KirkpatrickPrice penetration testers dedicated to educating you on the implications of your security vulnerabilities? Yes. Our penetration testers are passionate about empowering your organization to greater levels of assurance, and they do that through analyzing the findings of your penetration tests, communicating the consequences, and recommending remediation tactics.
  • Do we use both automated and manual testing methods in our penetration testing services? Yes. One of the major differences between vulnerability scanning and penetration testing is automated versus manual processes. Beyond the initial scan configuration process, a vulnerability assessment does not require a significant amount of human interaction. Quality penetration testing should include manual testing methods, particularly performed by a professional. If the penetration testing services you receive are a highly automated process with minimal human effort, you might not be receiving quality penetration testing.
  • Do we give post-exploitation direction? Yes. A key aspect of quality penetration testing is using the findings. Your organization should risk rank the vulnerability findings you receive, analyze the potential impact of vulnerabilities found, and determine remediation strategies. KirkpatrickPrice penetration testers will partner with you to ensure you have proper post-exploitation direction.

What would it cost you if your top client was not satisfied with the quality of your penetration test? If you did not undergo a penetration test, what security vulnerabilities would you not know about? How would it impact your job if you did not receive quality penetration testing? In a day and age when security controls must be strong and effective against advanced threats, we’ve made it our mission to deliver quality services – and that includes penetration testing services.

Want to learn more about our penetration testing services? Contact us today.

More Penetration Testing Resources

Auditor Insights: Vulnerability Assessments vs. Penetration Testing

Ask the Expert: Penetration Testing

5 Benefits of Regular Penetration Tests