How to Choose the Right Penetration Testing Vendor for Your Company

by

January 7, 2022

 

Lots of IT Experts Offer Offensive Security Services to Find Your System’s Vulnerabilities. But Not Every Penetration Testing Vendor is Created Equal.

With the exploding levels of cybercrime, it’s no longer enough to simply put up firewalls around your systems and hope they work. You have to know they work. Enter your friendly neighborhood penetration testing vendor. These white hat hackers attack your systems for a price, and shows you where your vulnerabilities lie. Companies of all sizes should make the investment in penetration testing. That goes double if you are handling sensitive customer data or proprietary trade secrets. But how can you be sure your penetration testing vendor is reputable, and the right fit for your business?

How to Work with a Penetration Testing Vendor

Working with a PEN testing outfit is a long process. A true penetration test for your company will take weeks, if not months, and involve testing your systems at every level. A penetration testing vendor will launch coordinated attacks against your systems from the outside in, and the inside out. They’ll test your apps, your internet connections, your sites, and your phone and email server systems. PEN testing will also test your staff’s vulnerability to email and phishing attacks.

Sound complicated? It is. And it’s an even more powerful reason for going with trusted provider. Luckily, there are a few simple rules of thumb that can help you separate the good vendors from the bad.

Signs of an Expert

Put simply, a reputable penetration testing vendor will:

  • use real programmers/hackers to attack your system, and not be overly reliant on AI generated scans
  • be able to demonstrate experience with programming and system networking
  • be fully insured, in the event that they inadvertently cause damage to your systems
  • offer references you can call, preferably at companies similar to yours

And that’s not all. The best white hat hackers will take the time to meet and learn your business. Disclose where your assets are, how your network runs, what apps you use, and how your system is backed up. There should be a thorough discussion of your staff’s current training level on online safety, too. Your vendor will be taking all that into consideration, and designing an attack strategy that’s designed to truly test your system like the “bad guys” might.

When they’re done, they’ll provide you with a report that shows every breach and incursion. More important, they’ll tell you exactly what you need to fix it. When they’re done working with a penetration testing vendor, most companies will have created new security protocols, installed new software, and beefed up their employee cybersecurity training. Ideally, they’ll also have the tools in place to address emerging threats and hacker techniques. And who can’t afford to be one step ahead of cyber thieves?

What Penetration Testing Vendors Test

While this all sounds very mysterious, there are some standard best practices in PEN testing. In general, your penetration testing vendor should be looking to find the chinks in your system’s armor. And the requires testing all parts of your system. Look for a vendor that can conduct all these types of tests:

  • Network penetration test—to see how easy it is to breach your network from the outside in, and from the inside out. They’ll also look at how secure your wireless network connection is.
  • Web application testing—to hunt for vulnerabilities in the web apps and APIs that power your systems. This includes custom built apps on your sites. It also covers off-the-shelf apps, and the application aware devices that interface with them.
  • Mobile app PEN testing—to test all parts of your mobile device systems, from logins coming through your mobile apps, to the the apps themselves, to insecure mobile storage, to mobile malware and unauthenticated users
  • Azure platforms testing—to challenge the security surrounding the data your organization has stored on third party apps on Microsoft’s Azure platform, such as Windows Office 365.
  • Google Cloud Platform testing—to similarly challenge your network security surrounding Google applications like Google Docs.
  • AWS testing—to test the system of APIs in the Amazon Web Services ecosystem.
  • Email and Voice Call Testing—to determine what kinds of scams your staff is most likely to fall victim to, and where you need to beef security training, as well as your email and phone systems.

You’ll need a vendor that understands your comprehensive involvement with cloud vendors, from app APIs to your backup cloud providers. Remember, a penetration testing vendor that only tests parts of your system is leaving you vulnerable.

Now that we’ve talked about the basics of PEN testing, are you ready to put your organization to the test? Integris can help. Here’s our advice on how to take the next step.

Finding a Penetration Testing Vendor: Next Steps

You need a vendor that understands network security and offers you offensive security services that protect your assets. If you’re in one of our service areas, we’d love to help you with a wide variety of cybersecurity services, including our customized PEN testing services, as well as cybersecurity planning and strategy. Ready to take a deeper dive into the information? Download our free DIY IT Security Audit Checklist. It will help you determine the security areas you need to address first. And as always, contact us for a free consultation.

 

Susan Gosselin is a Senior Content Writer for Integris. A career communicator and business journalist, she's written extensively on IT topics and trends for IT service providers like Iconic IT and ProCoders Ukraine, as well as business publications such as Technologyadvice.com, Datamation.com, The Lane Report and many others. Connect with her on LinkedIn.

Keep reading

How to Run Governance on Your Security Awareness Training Program

How to Run Governance on Your Security Awareness Training Program

Has your company decided to take the plunge, and start a regular schedule of monthly online security awareness trainings for your employees? Great! You’ve just taken a big step toward hardening your cybersecurity defenses. Now what? Chances are, you’ve purchased a...

What Can Cybersecurity Awareness Training Do for My Company?

What Can Cybersecurity Awareness Training Do for My Company?

Global spending on employee cybersecurity awareness training is predicted to exceed $10 billion USD by 2027, up from around $5.6 billion USD in 2023, according to the latest estimates from Cybersecurity Ventures. Why? Because more companies than ever are realizing...

Third Party Vendor Risk Management: A Guide for Law Firms

Third Party Vendor Risk Management: A Guide for Law Firms

You've bought the cybersecurity tools your MSP recommended to manage your cybersecurity. You use a permission-based platform to transfer client files back and forth. Your firm should be covered for data breaches, especially third-party vendor risk, right? Tell that to...