What factors should customers take into account when turning to specialized companies, how to find real professionals for loud marketing statements, what pitfalls does this process have?
#1. Trust
How can a customer understand whether to trust this auditor company? The answer is traditional: a list of large clients and their references (open or much more often closed), how long has the company been on the market, how well known it is, etc. The issue of trust becomes a cornerstone, so qualifications are absolutely irrelevant if there is no trust.
Let’s take a closer look at the following typical problem directly related to trust – fear of pentesters. Which, in general, is correct: pentesters, like any other external consultants, should be feared. Of course, first of all, you need to be afraid … integrators and vendors who provide technical support – they are much more dangerous.
They, unlike pentesters, who know nothing but holes, are well versed in the entire system: what and where is in it and what can be done with it, besides, they have all the necessary rights. In addition, everyone has long been accustomed to integrators, and control over their activities is greatly weakened over time, which makes them even more dangerous …
Such a “hacker” team is quite difficult to manage – it takes a lot of experience, knowledge of the peculiarities, various well-built and debugged, but at the same time specific processes. It is this special experience that distinguishes mature penetration testing companies around the world, and they are trusted by top clients. Therefore, advice number 1 – use only the services of trusted, experienced and well-known specialized companies-pentesters in the market.
#2. Qualification
The second most important condition after trust is the qualification of the pentester company. The fact is that the quality of the auditors’ work is not always evidenced by the positive references of customers, since not all of them are able to objectively assess the result of the pentest carried out at their place.
What are the main objective criteria for auditor qualifications? References from customers with a high level of maturity in relation to penetration tests. References for vulnerabilities found from the world’s leading vendors (MS, Oracle, SAP, VMWare, Cisco) and web services (Google). The most objective parameter, which unambiguously indicates that the auditor company is able to look for unknown vulnerabilities in the products of serious vendors. It remains only to look at their quality and quantity.
Published research on the search for vulnerabilities (in this case, we are talking about technical research, which should not be confused with market research, which is literally teeming with the market). Speeches at the world’s leading tech hacker conferences.
Follow https://www.dataart.com/services-and-technology/security to learn more.
#3. Skill stack
- Here is a rough list of what a good pen tester need to know:
- Configure a networking stack.
- Conduct an audit of the system, analyze which place is vulnerable.
- Attack network resources in popular ways and set up a protection system against such attacks.
- Set up a monitoring system and a warning system for problems.
- Take into account the human factor in the construction of protection.
In addition, an understanding of cryptographic and other protection methods is useful. Plus, it’s good if he understands the regulatory legal acts in the field of information security, the sphere of responsibility of government agencies.
#4. Tool stack
A pentesting specialist is able to work with:
- Linux.
- Windows.
- DLP.
- IDS.
- SIEM.
- Kubernetes.
#5. Personal qualities
Pentester must be:
- sociable, be able to clearly and competently express their thoughts; stress-resistant;
- punctual;
- constantly develop, learn new tools, attend conferences;
- observe occupational hygiene so as not to burn out.