iVolution Secutity Technologies United States  United Kingdom   |  Home  Contact  Customer Services
 

Why  Perform Penetration Testing

RedTeam™

What is Penetration Testing

Third Party Assessment

Benefits from Penetration Testing

Why use our services?

Comparing Security Testing Options

Rapid Threat Modeling

Our Methodology

What to Look for in a Security Firm

What to Look for in a Security Partner

The quality of Penetration testing services can vary in their ability to actually do the testing you require.  It is important to find a partner to fit your organization's testing requirements. There are many organizations that can provide security testing services; experience and qualifications can vary greatly.  During your evaluation process, you should consider the following:

Choosing a security partner
A critical step to ensure that your project is a success is in choosing which third party organization to use.  As an absolute essential when choosing a security partner third party objectivity and neutrality should be a paramount concern. This eliminates possible conflicts of interest and provides the client with credibility for compliance regulations

Customer Support
The vendor should offer a support team with extensive, hands-on penetration testing experience that adds value to any engagement.

The Process
The proposed penetration testing solution should be fully transparent, allowing you to view all aspects of testing and methodology. Any organization that is not interactive, does not provide a clear methodology or states that their methodologies and processes are proprietary should be avoided.  Transparency is the key.

Transparency
The penetration testing product and methodology employed should be fully transparent. We believe as a client you have the right examine and understand the processes and tools, including exploits, that will be used in the security test.

Logistics
How is the security assessment being managed? It is important to understand how information and communications will take place. Are escalation procedures in place? Is contact information distributed to each team member? It is very important to have the underlying logistics in place when penetration testing to ensure testing proceeds smoothly and actions are taken if problems arise.

Establishing the Team
Does the organization proposing testing work with a team concept, or is it simply one resource that is provides all their testing. Organizations that employ and build teams that are specifically tailored to testing requirements provide the most value for the client.
Detailed below are questions that an organization may want to ask any potential security partner:

  • Is security assessment their core business and focus
  • How long have they been providing security assessment services
  • Do they have a team of security professionals or rely on a sole resource
  • Are they vendor independent
  • Do they perform their own exploit research and coding? or do they depend on out-of-date exploits in the public domain (essentially operate as a script kiddies)
  • Are potential exploits tested in lab environments to avoid adverse affects on production systems?
  • Do they provide consultant profiles and credentials
  • How experienced are the proposed testing team
  • Are the CVs available for the team assigned working on your project?
  • Do they have a standardized methodology
  • Do they provide access to a sample report to assess the output
  • What is their confidentially policy
  • Are references available from clients?
  • Are legal agreements put in place to protect all parties involved in testing

Tools of the Trade
Does the vendor solely rely on automated tools? Automation assists in the penetration testing process but should not be the only facet of testing. Professional security engineers with years of proven experience can be a decisive point when providing high end services such as Penetration testing. Simply running a tool and putting the output into a report should never be deemed acceptable and adds little or no client value. Any organization can purchase commercial assessment tools. Organizations that purchase third party assessments are actually purchasing expertise in penetration testing.

Relevancy and Effectiveness of Exploits
Any vendor promoting penetration testing and security assessment should provide current and thoroughly tested exploits for newly-discovered vulnerabilities. This allows assessment for current threats while ensuring the integrity of your network and it’s applications. Any organization promoting penetration testing should have the capability of doing their own exploit research coding. All exploits should be tested in a lab environment

Consulting Services
A vendor should provide a full complement of professional security services to meet compliance demands for third-party testing.

Vendor Experience
The vendor should have a demonstrated track record of providing information security testing and services to a broad range of organizations. Look for a company that openly collaborates with other security product vendors and service providers to share and expand its expertise.

It is important to keep in mind that references may be hard to acquire due to strict client confidentially clauses and non disclosure agreements that are prevalent in the security testing industry

Vendor Image
Any vendor should have a professional and polished corporate image. Staff should be professional and knowledgeable about all aspects of security, especially security testing.

"Through 2008, insiders, working alone or with outsiders, will account for the majority of financial losses from the unauthorized use of computers and networks."
Gartner Group