Checklist: What Should Be Considered When Ordering a Pentest

Photo by Austin Distel on Unsplash

1. Expertise

Make sure that the pentesting contractor you choose is experienced in testing companies of your industry or at the very least of related industries.

Questions you can ask

  • What proven pentesting experience does the company have?
  • Has the company ever tested organizations operating in the X sphere of the industry?

2. Proficiency confirmation

The experience of employees conducting penetration testing must be relevant to your needs.

Questions you can ask

  • Do your experts have verified CVE’s?
  • Do your experts have any commendations for discovered vulnerabilities?
  • Have your experts delivered their talks at specialized conferences (Black Hat, Defcon, RSA Conference)?
  • Do your specialists have certificates confirming their proficiency?
  • Is it possible to choose an expert to conduct pentesting?

3. Methodology

You have to choose a service depending on the results you expect. Plus, you have to find out the pentesting methodology the provider uses. It would be great to discuss how it fits your company’s features and meets your requirements.

  • grey-box testing — experts know only some information and can ask for clarifications
  • black-box testing — the most labor-intensive method from the point of view of pentesting experts; they know almost nothing about the company they are working for, except for maybe its name

Questions you can ask

  • Is it possible to make a project plan in advance to understand how the work will go and what the final cost of the service will be made up of?
  • What pentesting methodology will be used?
  • What internal data should be provided?
  • Can you change the course of penetration testing in the process?
  • Is it possible to pentest at night hours and on weekends, so as not to interfere with the services?
  • How will the communication between the customer and the pentest provider be held?

4. Reports

You can request a sample report. Based on the sample, you can adjust the expected result before penetration testing has begun.

  1. Exploitation scenarios that can be used by adversaries
  2. Adversary models
  3. Recommendations on how to eliminate the discovered security issues

Questions you can ask

  • What will the report contain?
  • In what format is the report provided?
  • Will it be possible to edit the finished report? If so, for how long?
  • Will the report describe the steps and scripts to reproduce the vulnerabilities?
  • Will the report describe unsuccessful attack vector implementations?
  • Is there an option to change the template of a future report?
  • Will intermediate results be provided? (This is relevant for long pentests.)
  • Is it be possible to get information about critical vulnerabilities before pentesting is completed?

5. Data confidentiality

Your future pentest service provider must keep all of your data confidential, which must be specified in agreements and contracts: how the data will be stored and used and after how long it will be destroyed. Cases, where the contractor uses a subcontractor’s services in your pentesting project, must also be spelled out.

Questions you can ask

  • What country do pentesters work from?
  • Does the company’s data leave the territory of the customer’s country during pentesting?
  • How long will your data be stored?
  • How will the report be sent to you?

6. Costs

You can find prices ranging from $4,000 to $100,000 for the entire project, and the average price will be at $10,000-$30,000.

Questions you can ask

  • What do they charge for a pentest?
  • What services will be included in the final cost?
  • Will the cost of the service be directly related to the amount of time spent?
  • Does the cost of the service depend on the proficiency of the specialists?
  • How much of the total testing time will it take to write the report?

7. Retesting

Discuss the possibility of retesting after you have fixed the security issues the contractor identified. Some contractors initially offer to help you fix bugs, which makes it easier for you: not all companies have enough resources for this.

Questions you can ask

  • Does the service include fixing the discovered security issues?
  • After fixing the discovered security issues, how much will a retest cost?

8. Pentest damages

Security testing can damage a tested infrastructure. This should be considered in advance to avoid misunderstandings and other issues.

Questions you can ask

  • Will the contract specify the permissible scope of actions of pentesters?
  • What if the pentesters go beyond permissions? How will it be resolved?
  • What if the pentesters’ actions cause damage to the system?

Final Thoughts

The points in this guide can differ depending on your company’s needs and financial capabilities. There are enough pentesting services providers to choose from. They will help you achieve a desired level of security.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hexway

Hexway

A platform for pentest management and collaboration