What to Look for When Choosing a Web Application Penetration Testing Company

A single data or security breach in a company can lead to financial ruin and a tarnished reputation from which there may be no recovery. The best way to beat them is to find and remediate any security vulnerabilities before criminals can exploit them.

A penetration testing company beats hackers at their own game by attacking your system and finding security issues. Unlike criminal hackers, the penetration testing company works for you and doesn’t exploit the security vulnerabilities they find but reports them to you (along with remediation recommendations) so your cyber security team can plug them before hackers find them.

There are many penetration testing companies out there, so how do you know you’re getting the best? We’ll examine penetration testing and how to find the best company for your needs.

How Does Penetration Testing Work?

Hiring a company to break into your system may seem counter-intuitive, but it’s the best possible way to thwart hackers before they have a chance to attack your system. Exactly what is a penetration test and how does it work?

A penetration test is an organized cyber attack on your computer systems to discover security holes and other vulnerabilities. It can target (the scope) any and all systems including APIs, front and back-end servers, web applications, as well as mobile apps.

The companies that do these simulated attacks are professionals at breaking through even the toughest defenses. They must be if they hope to find sophisticated security issues before the crackers.

Why Do You Need Penetration Testing?

Cyber security is essential to today’s business climate. Hackers can sit back and let their computers/bots send automated attacks out until one succeeds. They have several different attacks depending upon their intent from DDoS attacks to phishing and ransomware. Some businesses are attacked millions of times per day.  It only takes one successful attack to ruin your day though.

You hear in the news about attacks breaking through and stealing vital information and you don’t want to be that company. Companies across the globe conduct penetration tests to assess their security and make sure they don’t end up on the news for a security breach.

Also, many businesses, especially in the financial and medical sectors, need to be compliant with various standards and are required to have periodic penetration testing. They also require penetration testing following major system changes.

There are countless reasons for you to have penetration testing, but the most important is to provide a safe and secure environment for your customers’ and the company’s sensitive data.

Choosing a Penetration Testing Company

It’s important to understand what penetration testing is available and how it works before choosing a company. There are various types of penetration testing and each company is different.

You can have a web application penetration test, a mobile application penetration test, or an infrastructure penetration test. Each is different and requires different expertise and tools to be performed well.

So, your first step is choosing what type of test you want to do and then search for companies that are experts in that method. Once you’ve done that, determine what type of test you want such as white-box, grey-box, and black-box.

The companies your talking to can help provide more insight into each of those tests to determine which would be the best choice for your situation.

Evaluate the Penetration Company

The testing company needs to have the experience and prove they’re knowledgeable in the subject matter and can produce results.

  • Questions
    • Ask questions and try to trip them up. See how knowledgeable and honest they are.
  • Certifications
    • Meh. Not really a huge deal mostly just for entry level folks/interns to get their foot in the door.
  • Degree
    • Four-year degree equivalent to six (6) months of experience?
  • Accountability
    • Personally, i’d only hire a company that you could have arrested if they were not legit. IE, if you are in America maybe hire an American company.

Determine How They Secure Data

You’re opening your computer systems to this company with the goal of them extracting important and sensitive data. For many businesses that’s a scary concept. You need to know how they plan on securing that data once it’s removed from your system.

The last thing you want is a data breach caused by your penetration team. You need to know how the company transmits the data from your system to theirs and how it is stored.

Will the data be erased once the report is complete or will it stay in their system for a set period of time?

If you don’t feel comfortable with their answers, then don’t choose them as a company. Their ability to break into your system should be complemented with keeping the data they take secure until it can be permanently deleted.

Does the Company Have Liability Insurance?

The testing company uses aggressive techniques to break into your system. If they damage any of your infrastructure or computer systems in the process, liability insurance can help pay for the damage.

The company should have liability insurance because it’s a sign of legitimacy and it protects them and their customers. If the company doesn’t, then don’t sign a contract. If they can’t provide some method of security in case of damage, then the risk to your business is too high.

Understand How They Manage Projects

Your penetration testing is important because is examines vulnerabilities in your system. When you hire a testing company, they need to know not only how to penetrate your defenses but do it in a timely and efficient manner.

You need to know what their expertise in system penetration is coupled with a project management capability that keeps everything on schedule. Ask the company about the qualifications of their project managers as well as the actual penetration team.

When you contact references, ask them about timeliness and how they felt about the project management abilities of the company.

Ask the Company for a Sample Report

A company’s ability to break into your system and divulge security issues only works if they can convey those issues to you. It’s important to ask for a sample report that provides information on everything they found and more.

It should include a summary that describes the overall security and provides information in items that require emergency actions. It will tell you the various methods used to find, and vulnerabilities and any results found.

It will also include a detailed list of all vulnerabilities found and how your company can best fix them. A penetration testing report must be thorough and provide extensive information to your security personnel.

Can They Provide Repeat Testing?

As we discussed earlier, hackers are finding new methods to break into systems every day. Your company will likely want future testing done to confirm fixes from the initial test and periodically to make sure no new vulnerabilities were created.

A professional company wants to retest to make sure your IT and security personnel have followed up on their recommendations. If you find a testing company that you trust, then create a long-term relationship with them.

How Do You Feel About the Team?

When it comes down to it, you need to feel comfortable giving the penetration testing organization access to your more sensitive data. Don’t just get data from them but talk to the major players and ask yourself if they seem credible to you.

You need to have a good level of communication and feel like you can hand over the keys to your castle. If it doesn’t feel right because you dislike how they act or walk away from a conversation unsure if you trust them, then wait to find one that you are comfortable with.

Take Time to Choose Your Testing Company

The right penetration testing company can mean the difference between a safe and secure computer network and a data breach that impacts customer and company data. It’s important to take your time to find the testing company that right for your business.

If you’re interested in learning more about penetration testing, please contact us.