Organizations regularly utilize penetration testing services on their web applications, mobile applications, or network infrastructures to satisfy regulatory requirements (e.g., Payment Card Industry), or to ensure a secure product launch. While many companies offer the services, the services are conducted differently between them due to weak methodology and unqualified personnel. How do you find the company that has the robust methodology and qualified staff?
The first step is to understand the methodology used. OWASP Top 10 and SANS CWE 25 are the standards used across each company, but the testing of them is where the differences are noticed. Many companies utilize automated tools that output a report based on the two standards and provide that report to their clients. While that may sound efficient and potentially cheaper for you, the automated testing alone does not provide end-to-end security coverage and most of the time is as costly as services offering a stronger methodology.
You will need to look for manual testing in addition to the automated testing to identify if a methodology is strong or weak. Manual testing will include additional tasks that the automated tool cannot conduct due to the tool’s inability to understand the business logic and flows of the product. Below is a list of additional tasks that the penetration testing company should have in their methodology:
- Can User A view or change User B’s personal information or account settings?
- Can user account names be guessed given a non-standard response is provided when attempting to log in or reset a password?
- Is there a lockout mechanism to prevent continuously attempting to guess a user’s password?
- Are malicious files allowed to be uploaded?
- Can you capture user requests and replay them in the future?
- Can you bypass specific verification pieces in a registration flow or change dollar values while attempting to make a purchase?
The list is not limited to the items above, but it will help you begin understanding the maturity of the penetration testing company’s methodology. Once you are comfortable with the methodology provided, you can start reviewing the qualifications of the penetration testers.
There are many penetration testing certificates, and each certificate requires a different level of difficulty to obtain. One of the more known certificates is called Certified Ethical Hacker (CEH). Unfortunately, the certificate does not provide penetration testers with any real-world, hands-on experience and is obtained with little effort through a 125-question, 4-hour exam. Nonetheless, the certificate name sounds qualifying and is accepted by prospecting clients.
As an alternative, we recommend looking for a certificate by the name of the Offensive Security Certified Professional (OSCP) and using it or a similar hands-on certificate as the minimum requirement for your penetration testing company. The OSCP consist of a 24-hour exam where candidates are required to use practical, hands-on skills to exploit five machines. The exam is used to prove that successful candidates can be presented with an unknown network, enumerate the targets within their scope, and exploit them.
While the OSCP is one of the more difficult certificates to obtain, below is a table of common certificates and the effort required to achieve them:
|OSEE||Offensive Security Exploitation Expert||Hands-on||Very High|
|OSCE||Offensive Security Certified Expert||Hands-on||High|
|OSCP||Offensive Security Certified Professional||Hands-on||High|
|GXPN||GIAC Exploit Researcher and Advanced Penetration Tester||75 questions||High|
|GWAPT||GIAC Web Application Penetration Tester||75 questions||Medium|
|GMOB||GIAC Mobile Device Security Analyst||75 questions||Medium|
|GPEN||GIAC Penetration Tester||115 questions||Medium|
|CEH||Certified Ethical Hacker||125 questions||Low|
|OSWP||Offensive Security Wireless Professional||Hands-on||Low|
We hope that this information can assist you and your organization in choosing a penetration testing company that uses a robust methodology that contains manual and business logic testing using qualified personnel.