11 Things To Know When Hiring A Pentester
Pentest (Penetration Testing) is an important part of strengthening and maintaining the network security of every business. By “hacking into a system”, a pentester can patch security flaws and ensure the system is not attacked by hackers. But finding a good Pentest service and quality candidates is not easy for businesses. Here are 11 things you need to know to hire the best testers.
1. Pentester’s Skills
Expertise is the primary concern when hiring a Pentest service or a Pentester team. Measure the skills of testers is usually based on the certifications such as GPEN, GCIH, CEH, and GXPN….
Possessing professional certifications does not guarantee that a tester is the best. But it does show that they meet certain qualifications and are serious about their career. Thus, certified Pen-testers will be a safe choice for your organization.
To test the qualifications of the Testing team, you can rely on the Pentest / Ethical Hacking certifications they have. Besides, a skill test is also valuable for screening. It allows you to find better Security Professionals.
2. Practical experience
No one wants to hire pentesters with “excellent” achievements and certificates who don’t finish their job. That is why you need to pay attention to the experience of the tester.
A good pentester is someone who has practical experience in the different aspects. These aspects are development model, network protocol, MiTM, ARP, cross-platform system administration, password storage (LM, NTLM, Shadow, etc.), database system, and scripting (ruby, python, Perl, etc.)
Ian Amit, Service Manager of IOActive emphasized:” To determine the level of a Pen-tester, a skill test is not enough. Testers need to clearly state the pentest method and process. They also need to reproduce the vulnerability”. Reports should systematically address problems and provide methods for addressing or minimizing risks.
3. Knowledge about tools
Besides knowledge and experience, Pentesters also need to understand how to use toolkits.
Toolkits such as Burp Suite, Metasploit, Nessus Scanner, or Wireshark will help a lot in finding vulnerabilities that exist in your systems and products.
A tester with the ability to “master the tool” will be able to use the power of those vulnerability scanning tools to speed up testing. Thus cutting “human effort” of the part of the jobs that the software can handle. This also shows the Pentester’s intelligent way of working.
4. Experience in system administration and application development
Experts say that a Pentester with network administration experience will outperform a “hacker” who just learns to infiltrate the system. They have a deep understanding of how the internal network & system work. Thus, they have a better understanding of the environment to make better decisions.
Same for a pen-tester, knowledge in application development will give them an advantage in detecting weaknesses.
Of course, there are still talented testers who don’t have much experience in network administration or application development. But this number is very small, most excellent experts must have a certain understanding of the system, IT infrastructure, or application structure.
5. Expert community advice
If you want to find quality testers, don’t forget to join the communities where security experts gather across platforms: online, offline, Facebook, Github, Hacker conferences and seminars, and Information security programs. Actively participating in these communities brings you many benefits. It can help you build relationships with potential candidates and make your brand more familiar to pentesters. That helps increase the likelihood of hiring the right candidate.
Besides, participating in expert communities also helps you better understand the pentester’s insight about the testing work. These understandings help the Pentester corporation process to go smoothly and achieve more positive results.
Some communities and forums where many pentesters & white hat hackers gather include:
- Online communities: whitehat.vn, Tra Da Hacking, Capture The Flag and Bug Bounty, Bug Bounty Hunters, Bug Bounty Forum…
- Famous security conferences: DEFCON, XCON- Xfocus, Black Hat Conference, AppSec Europe, Bsides Series, SHMOOCON,…
6. Pentesters credibility
The credibility of the tester is very important. When you partner with a testing expert, you will provide them with the necessary information to find the weakest points in the system. It is very dangerous if such weaknesses are not fully reported or are being used for other purposes.
To be able to assess the reputation of individuals and testing groups, you should consult all security communities. According to Dell SecureWorks Senior Director, you can assess the credibility of an expert by answering the following questions:
- Do they stand out in the information security (InfoSec) community?
- Have they spoken at prestigious conferences like DerbyCon, DEFCON, ShmooCon, or Capture The Flag Contests?
- Do they contribute to open source projects, blogs, or responsibly publish vulnerabilities?
- Do they have a high score on Bug Bounty leaderboards? For example HackerOne, BugCrowd, WhiteHub, etc.?
If the answer is absolute no then perhaps you should reconsider the credibility of that expert. Here is some famous Hall of Fame, which are prestigious boards that every hacker wants to be in:
- Facebook Hall of Fame
- Google Hall of Fame
- Microsoft Hall of Fame
- Apple Hall of Fame
- Dell Hall of Fame
Besides, famous Bug Bounty platforms is also a big plus for the pentesters’ reputation such as:
7. Hire a passionate pentester
Hiring a consultant who is not passionate about their area of expertise no matter what field is a bad idea. That is why the Director of Dell’s Red Team shared his experience when hiring pentesters: “I look at candidate CVs from the bottom up, because it tells me what they focus on rather than what they have to do. If penetration testing is a hobby for them, the candidates will be highly-evaluated”.
However, it is also necessary to avoid people with a large “ego” in the field of security. In some cases, they may prefer bragging to protect your system. That’s why a dedicated and methodical pentester is more effective than a bragging one.
Creativity is one important criterion to help Pentester or white hat hackers to complete their work.
“Even the same vulnerability can be different in two different environments. And the way you attack will rarely be the same.” – said Ronnie Flathers, associate security consultant at Neohapsis.
He also said that pentesters gradually became dependent on automated vulnerability scanning tools. Although it will be very convenient at the start. However, if later in the process the pentesters lack creativity, it will be very difficult when the tool fails. Such as when the software is not compatible with the task being handled, or when the software does not guarantee security features.
9. Communication ability
Another important factor to choose pentest services is the communication ability of pentesters. “Communication is the most essential skill of a pentester. It is easy for them to change from technical discussions to simple concepts depending on the subject”. Says Ronnie Flathers, associate security consultant at Neohapsis.
According to Sameer Dixit:
“Pentesters should issue quality reports and explain detail in technical as well as the non-technical way”.
Robitaille (Dell) pointed out the fact that the value of a pentester is based on understandable and useful results. “A pentester with good skills and communications that makes their manager understand the problem is very useful. They are better than the pentester in the world but with poor communication ability, making it difficult for decision-makers”.
A tester might find a critical vulnerability. But if he or she can’t clearly explain the risk, the client won’t understand its value or importance.
10. Don’t be afraid to discuss with Pentesters
Businesses often make mistakes when hiring Pentest services. One of these mistakes is not openly discussing their security difficulties. Once you have decided to hire expert testers, you have to trust and delegate the responsibility of system security to them. In addition to choosing a reputable and well-contracted expert, you should discuss any security problems your organization is facing. As well as the tools available to make their job easier.
Important things such as IP scanning, software licensing, hardware repair, and testing of wireless connections should be specifically announced to Pentester. According to Vincent: “If you don’t provide enough equipment and tools, they will be very annoyed about having to spend time and money buying tools that should be available from the start”.
Most of the pentesters we spoke to felt that it is difficult when trying to resolve security issues. It is due to the resistance from the very companies they were working with.
11. Pentest doesn’t mean “absolute safety”
Companies usually think that security depends only on penetration testing.
Experts recommend businesses layer their security systems to achieve the highest efficiency. Combining data testing, code review, and penetration testing will help increase security as well as increase the risk tolerance accuracy. Compare the results from the testing with the logs from your private network to see how often you are attacked and understand the attack components. Don’t just depend on the pentest process.
Finding a suitable pentest service or the right Pentester for your organization is not easy. This process can take a lot of time and effort as well as money. In turn, when there is a quality testing team, the security of the organization will be raised to a new level. This will minimize the risk of being attacked by hackers and exploiting serious vulnerabilities. Finally, always keep in mind that you need responsible pentesters with the ultimate goal of “Protecting the business” and not just completing assigned tasks.