Guide to Selecting a Penetration Testing Provider in Australia

Penetration testing on a regular basis is key to ensuring you have secure applications and environment, it is also essential in meeting your compliance requirements for security standards such as PCI DSS and ISO27001. But what should you look for when selecting a penetration testing provider in Australia?

Penetration_Testing_Provider_in_Australia

Selecting a pentesting service provider can be complex as there are many organisations out there that call themselves “professional” without any basis for that claim. Yet these are the people you rely on to interrogate your business systems and to use very complex tools to bombard your network. If they lack the right knowledge and experience on how to use the tools properly, you are likely to waste a significant sum of money. Even worse, they can damage, change, or takedown critical components if their tools are not configured specifically for your environment.

So here are some guidelines to help you ensure that the security provider you choose will provide you with results that are accurate and meaningful, allowing you to be proactive in reducing the risks of cyber-attack.

TIP #1: Make sure that they are conducting a penetration test not an automated scan

Unfortunately, some of the lower-priced and lower-skilled organisations sell you penetration testing, but in reality, only conduct a vulnerability assessment. And, when compared to a thorough penetration test, the results will be substandard. To truly understand the risks your organisation faces, the penetration testers must actively try and exploit identified vulnerabilities, and flaws in your business logic and not just use an automated vulnerability scanner.

TIP #2: You get what you pay for

When it comes to penetration testing, you get what you pay for. We don’t necessarily recommend you select the most expensive penetration testing company out there, but you should be careful and ensure the company is dedicated to spending time to learn and understand your environment, and your needs. This will help you get the best possible value for the amount you pay.

TIP #3: Look for specialisation

There are many companies for whom penetration testing is not a core offering, but just a value-added service. However, being at the forefront of the security industry is paramount in penetration testing, and maintaining this position requires a daily dose of penetration testing and security research. It could easily be argued that a penetration tester without this exposure, and dedication, may not be aware of many attack vectors that cybercriminals are deploying.

TIP #4: Look for Proof of capability of a Penetration Testing Service Provider in Australia

Anybody can run hacking software, and call themselves a penetration tester. It’s therefore key to select a capable partner with some proof of competence. A few things to look for are:

  • Sample reports making sure they are professional, thorough, and offer actionable remediation advice;
  • Penetration testing certifications such as those from the SANS Institute (GPEN, GWAPT), Offensive Security (OSCP, OSCE), or CREST;
  • Sufficient experience, so they won’t set you up with a junior who ends up doing all the work.

Also, ask for references from past clients, and find out what they valued about the company.

TIP #5: Look for customised, valuable reports

If a report is not written to a level that you can understand it, or the remediation activities and recommendations are not valid for either your budget or your environment, is it really worth your money?

You need a penetration testing company that will provide you with a report that is meaningful and helpful. Be aware of software-driven, canned reports that are often generated through vulnerability assessments. Instead, seek a partner that offers customised reports that are relevant for your environment. To do so, read a previous report or sample report from the penetration tester, and check that it’s comprehensive and suited to your business goals.

TIP #6: Testing happens before an application is moved into production

Ideally, a penetration test for a new application should be conducted during the user acceptance testing phase, and just prior to moving it into production. This will allow a penetration tester to try different attack vectors without the risk of impacting business continuity, and, more importantly, prevent you from commissioning a vulnerable system.

But it’s never too late to conduct a penetration test, and the test can even be completed post-production. A knowledgeable penetration tester will advise this.

TIP #7: An existing relationship is not a prerequisite

An existing business relationship shouldn’t be a condition for selecting your penetration testing company. System administrators, for example, typically don’t make good penetration testers as they’ve often already closed the holes they know about. Defending against and performing attacks is a completely different mindset and skill. Moreover, how keen would you be to admit that there are gaps in a system you just secured? Don’t be afraid to search outside of your existing relationships, and seek a penetration testing expert.

TIP #8: Proactive security approach, not just a tick in the box

If there is a requirement for a penetration test, it’s probably for a good reason. So, in selecting your penetration testing partner, don’t go with a partner that will just help you get the “tick in the box” during an audit. Instead, engage a partner with a proactive security approach as this will deliver better, long-term results.

TIP #9: Scoping exercise is key

Any penetration testing company worth their salt will conduct a thorough scoping exercise to flesh out your goals and objectives, as well as properly ascertain the size and breadth of the assessment. A common practice is for clients to request a black box (testing without prior knowledge) test. While in some cases this is beneficial, it usually ends up costing you a lot more money for less value. An ethical penetration testing company will guide you to get the most value out of your penetration test.

TIP #9: Scoping exercise is key

Any penetration testing company worth their salt will conduct a thorough scoping exercise to flesh out your goals and objectives, as well as properly ascertain the size and breadth of the assessment. A common practice is for clients to request a black box (testing without prior knowledge) test. While in some cases this is beneficial, it usually ends up costing you a lot more money for less value. An ethical penetration testing company will guide you to get the most value out of your penetration test.

In conclusion, a penetration test is a critical activity that requires planning, well-defined methodologies, and a trusted organisation. When selecting a penetration testing partner, make sure that they work with you from build-up, where detailed requirements are defined, all the way to close-down, at which point you should have a clear path and understanding of the next steps you need to take to make sure the penetration test meets your business requirements.

Talk to a Penetration Testing Expert
Our team is available to answer all of  your questions