Guide to Selecting a Penetration Testing Provider in Australia

If your organisation is like most, chances are you handle sensitive information every day. From customer data to intellectual property, keeping company information safe is critical for the long-term viability of your business.

Penetration testing is one of the most powerful and effective ways to ensure the security of this information and your broader IT environment. By identifying security vulnerabilities and developing customised solutions to address them, penetration testing protects your organisation against security breaches and prevents sensitive data from falling into the wrong hands.

Regular penetration testing is also essential in meeting your compliance requirements for security standards such as PCI DSS and ISO 27001

Penetration_Testing_Provider_in_Australia

Selecting a pentesting service provider can be complex. It is essential to do your research and ensure your chosen provider is proven, reliable and professional beyond reproach.

You will rely on your chosen provider to interrogate your business systems and use complex tools to bombard your IT network. If the provider lacks knowledge and experience in applying their tools to diverse IT environments, you may waste your money and fail to see results. Worse, your IT environment could be damaged, changed or taken down if penetration testing tools are not appropriately configured for your specific environment.

So, how do you select the right testing partner? This guide outlines the nine most important traits you should assess from a provider to ensure you get the best outcome in protecting your organisation.

TIP #1: Make sure that they are conducting a penetration test not an automated scan

There is a real and significant difference between vulnerability assessments (an automated screening which lists and prioritises vulnerabilities) and a proper penetration test (a goal-oriented exercise which simulates a cyber-attack). While vulnerability assessments generate useful information, the results are generally substandard when compared to a penetration test.

Penetration testing – in which testers must actively try and exploit vulnerabilities and flaws in your business logic – is most powerful for truly understanding the risks your organisation faces.

TIP #2: Has a strong track record of value for money services

In the penetration testing industry, you get what you pay for. A careful assessment of the specific offerings, approaches and guarantees provided by each penetration testing company will help you maximise value for the amount you pay.

Look for companies with a strong brand in the market that are dedicated to spending time to learn and understand your environment, and tailor their approach to your business context.

TIP #3: Conducts penetration testing as a core offering

Being at the forefront of the cybersecurity industry is paramount to successful penetration testing. Maintaining this position requires that team members are consistently conducting tests in diverse environments and staying up-to-date on the latest security research, trends and attack vectors.

You may find that many companies conduct penetration testing as a value-added service, rather than as a core offering. In this instance, it’s worth investing the time and effort to source a provider for whom penetration testing is core business.

TIP #4: Has objective proof of capability

There is a huge range of capability in the penetration testing market, from specialised experts at the top end of the spectrum through to individuals who have learned to run hacking software at the other end. It’s essential to choose a capable partner with proof of prior experience and success.

  • Review sample reports to ensure they are professional, thorough and offer actionable remediation advice.
  • Look for recognised penetration testing certifications such as those from the SANS Institute (GPEN, GWAPT), Offensive Security (OSCP, OSCE), or CREST;
  • Review the credentials of the testing team to ensure they bring sufficient experience.

Also, ask for references from past clients and find out what they valued most.

TIP #5: Delivers customised and practical reports

You need a penetration testing company that will provide you with a report that is meaningful and helpful. After an engagement, you can expect to receive a report summarising the key findings and next steps for remediation. If a report is not written in a way that you can understand, or if remediation activities are not practical for your budget or environment, you will realise limited value from penetration testing. Before engaging a provider, make sure you will receive a report that is meaningful, helpful and customised for your environment.

Be wary of software-driven canned reports (such as those generated through vulnerability assessments). Remember, you can ask for previous reports and sample reports to confirm that the approach is comprehensive and suited to your business goals.

TIP #6: Conducts testing before an application is moved into production

Penetration testing generally involves sophisticated and targeted attacks on your IT environment or applications to identify vulnerabilities. Ideally, this testing should be conducted during the user acceptance testing phase – before an application or system is moved into production. This will allow testers to try different attack vectors without presenting a risk to business continuity. However,
if this isn’t practical, it’s never too late to conduct a penetration test.

Expert providers can conduct effective testing post-production with minimal downtime risk. This must be highlighted and discussed in detail during an initial scoping call.

TIP #7: Independence from your day-to-day IT operations

An existing business relationship shouldn’t be a condition for selecting your penetration testing provider. System administrators, for example, typically don’t make good penetration testers because they’ve often already closed the holes they know about.

Defending against and performing attacks is a completely different mindset. It requires someone who brings specialist skills and, ideally, can look at your company’s IT environment from an outsider’s perspective. Don’t be afraid to search outside your existing relationships for the right penetration testing expert.

TIP #8: Proactive security approach, not just a ‘tick in the box’ exercise

With the swathes of sensitive data held by organisations today, penetration testing should not be treated as a ‘tick the box’ exercise. When selecting a penetration testing provider, be cautious of companies who promote that they’ll just help you to get through an audit. Instead, look to engage a partner who has a proactive security mindset – this will drive vastly better results that will save you time, effort and money long term.

TIP #9: Conducts a scoping exercise as part of the testing

Reputable and professional penetration testing providers will undertake a thorough scoping exercise before conducting a penetration test.

Scoping exercises help you and the provider to define your goals and objectives, and accurately ascertain the size and breadth of the assessment. You may be considering a ‘black box’ assessment (testing without any prior knowledge), but this often ends up costing more money for less value. An ethical and professional testing company will guide you to get the most value out of a penetration test.

In conclusion, a penetration test is a critical activity that requires planning, well-defined methodologies and a trusted organisation. When selecting a penetration testing partner, make sure that they work with you from build-up, where detailed requirements are defined, all the way to close-down, at which point you should have a clear path and understanding of the next steps you need to take to make sure the penetration test meets your business requirements.

Talk to a Penetration Testing Expert

Our team is available to answer all of  your questions