When you’re comparing penetration testing services for your organization, what should the final report include?
In the video below, Mike gives you several things that you should consider as “must-haves” in your deliverable, from a pen testing service.
Want Mike’s recommendation on the pen testing companies that can deliver what you want? Click the button below and ask him today.
About Mike
Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.
Transcript
Your company is interested in looking into penetration testing services and maybe it’s because you’re getting some new insurance policies and that’s a requirement or maybe it’s because your company is honestly just concerned about cybersecurity.
No matter what the reason, if you’re looking into penetration testing services, one of the questions you’re going to immediately come up with as you start to google it is, “Which vendors should we be quoting?” So I made a video series or I’m making a video series on penetration testing services comparison and just kind of pointing out the things that you might want to look at in particular to help you compare penetration testing services across different companies.
I’m a broker for all the major cybersecurity penetration testing companies and so this is really my job. I look at all the different companies and organizations come to me for advice and I kind of, I’m a matchmaker. I help match you up with the right companies to use so this is the kind of thing I do every day. So I wanted to make this video series to provide a little bit of value and to give you some insight into things that I look into.
So today’s video is on when you’re looking into penetration testing services, what type of reporting should you get, should you look for when the penetration testing services are complete.
Ask me which vendors to quote
But before I get too deep into it, just a quick plug, if you’d like my recommendations, my personal recommendations for the penetration testing services companies that your organization should be quoting, there’s definitely a small handful that are going to be a better fit for your organization in particular. If you want to know which ones those are, don’t google it, don’t try to research it and figure that out on your own, there’s hundreds if not thousands of options out there, you’re probably going to get lost and probably going to end up with the wrong one. Instead just contact me via email or by phone (714.593.0011). I’m a broker again for all these different companies and it doesn’t cost you anything to use me. More information on that at the end of the video but just a quick plug there. Also don’t forget to like and subscribe to the video down below.
Sit Down?
Well, the first thing you want to ask is will you get a sit-down meeting with the penetration testing company and the actual penetration testers themselves and have them go through the findings with you line by line. Is that included or are they just going to email you over something and leave it up to you to guess what they mean by each individual thing? Are they going to sit you down and go over everything with you? That’s number one. It depends on what you’re getting the penetration testing services for that might make you want one or the other. Do you want a sit-down or do you just want an email sent to you?
DIY Quick Fix List
Also, is the penetration testing services company going to give you a list of things that you can resolve immediately on your own without them? So obviously if the company’s main goal is to get you to buy stuff from them at the end, maybe they’re not going to tell you anything that you can do on your own. But if maybe a company has nothing to hide and they know that there’s going to be a lot of stuff no matter what that you’re going to need their help with, they’ll give you a big list of things that you can tackle immediately on your own.
Scoring
Another thing, on the report, will it list each exact vulnerability found and then score that vulnerability maybe on a scale of one to ten in terms of severity, or in terms of risk, one or the other. Like hey, this is … You guys barely are missing the mark on this or you guys are severely missing the mark on this, and then also what’s the severity of the possible security impact for your organization.
Comparison to Peers
Something else that’s interesting that the vendor might include is will the report show industry-related comparisons, saying that hey, in your industry or your type of business, here’s what the averages are for other similar companies in terms of what vulnerabilities are normal or what vulnerabilities are the most important to address based on industry. Sometimes that type of thing might be important to you.
List of Items for an Outside Vendor to Tackle
Kind of like what we talked about before, something else that they might be able to include is a list of things that you can remedy through either them or any other outside vendor. For instance, are they willing to just perform the penetration test and give you the results and say, “Hey, whether or not you use our company or not, here’s the exact item that you need to remedy.” Some vendors might say hey … They might be a little bit vague in their findings and list things that … Here’s an idea that you may want to remedy but they may not go into too much detail with fear that you’re going to take that information and just go to another third party and not use them. So how forthcoming are they going to be and really walk you through, like this is exactly what you need to have done and this is about how many hours it’s going to probably take and you can either use our company or somebody else. Are they going to get into that kind of detail? You might want to ask them upfront before you pay for the test.
Testing-Only
Some vendors actually do not do any of the remedy work. So kind of like when … I live in California, when you have to take your car in for a smog check, some facilities or pretty much all facilities now I think legally have to be testing only, where back 15, 20 years ago, you used to go to a place and they’d do your smog check and you’d always end up failing because they were the ones who were doing all the fixes on your car once you failed the smog check, but nowadays, all the facilities have to be testing only for smog testing. Then you have to take it somewhere else to get it fixed. Well similar with penetration testing. Maybe you want to look into a company that only does the penetration testing and does not do any of the remedies afterward but gives you a detailed report so you can take that to somebody else who’s going to do the remedies. Definitely make sure no matter what that that company is on the up and up and really focused on the testing itself, not on the remediation of anything.
Good-Better-Best Options
And if you have a penetration testing company that can also remedy some of the gaps, will they give you a good, better, best type of quoting scenario? Because we all know there’s a lot of gray area, right? Well, in terms of some type of vulnerability that they find, there’s going to be a quick fix that will do a little bit for you, there’s going to be a little bit better, and there’s going to be an A+ fix for that item. Will that company give you quotes and price out all three types of options or are they just going to give you, “Hey, here’s how we can solve it perfectly,” and it’s going to be super expensive. Are they going to have some realistic pricing that gives you kind of good, better, best scenarios in terms of the fixes that they’re proposing?
So that’s something you definitely want to look for is the report at the end of the penetration test.
Ask me which companies to quote
Again, if you’d like my recommendations on the best penetration testing companies to quote for your organization in particular, reach out and contact me via email or by phone (714.593.0011). Don’t google it, don’t try to find a needle in a haystack by searching the internet for the right company to use. I’m a broker for all these companies, so I know which questions to ask you to help drill down right away to the best companies to quote. And the nice thing is is the penetration testing companies pay me for my broker service. So that means you don’t have to pay me anything. So there’s absolutely no excuse not to at least reach out and see what I have to say. So give me a call, I hope this video is helpful. If so, don’t forget to hit the like button down below and subscribe to the channel. It would be a big favor to me and I will catch you on the next one.
Related Content
Penetration Test vs. Vulnerability Scan: What is the difference?
What is the difference between a penetration test and vulnerability scan, for cybersecurity?
In the […]
Penetration Testing Services Comparison: What is Physical Security pen testing methodology?
What is physical security penetration testing methodology?
In the video below, Mike continues his video […]
Penetration Testing Services Comparison: What is Social Engineering Pen Testing Methodology?
What is "social engineering" penetration testing methodology?
In his latest video, Mike continues his […]
Penetration Testing Services Comparison: What is Internal Penetration Testing?
What is "Internal" Penetration Testing?
In the video below, Mike continues his video series on […]
Penetration Testing Services Comparison: What is an External Pen Test?
What is an external pen test?
In the video below, Mike continues his video series on penetration testing […]
Penetration Testing Services Comparison: Gray Box
When comparing penetration testing services, it's important to understand gray box testing, and how it's […]