Why Top Security Leaders Consider Alternate Penetration Testing Providers
Aside from good business practice, here are reasons as to why top security leaders consider alternating Penetration Testing providers.
New Eyes On Their Systems
If you think every security consultant leverages the same methodologies, think again. The various nuances in the way individuals test and what they uncover, varies from company to company and person to person. Different testers apply various methodologies and techniques, not to mention the tools they use. What one penetration tester may not find, another perhaps will.
When an organisation works with a new team or security consultant, the vulnerabilities will likely be tested in different ways to the previous project. Providing a list of your previous findings is advantageous as it ensures the new testers will be able to ensure improvement on the testing results.
When security leaders have been asked why they change testing providers, the most cited reason is to get “a new set of eyes” on the test. A different security consultant will likely find different vulnerabilities that were missed by the previous tester, mainly due to having different backgrounds and experience.
Leveraging Different Expertise
It is worth exploring different vendors for different areas of expertise. One vendor for example, could be very strong in performing a penetration Test, but not as much in social engineering. So leveraging different vendors is advantageous for different areas of strengths.
Most security consultants and testers will find low hanging fruit, or fairly obvious vulnerabilities easily enough. A great security tester however, should be able to exploit your systems deeper, and more importantly help you mitigate any risks these vulnerabilities can cause.
Do not make a penetration test be about ticking a ‘compliance’ box, and rather about giving your organisation the best opportunity to avoid breaches.
Certified and Trusted Security Testers
Certifications and experience is everything.
Check the qualifications that the company hold and each individual testing your environment or platform. Some of these industry standards and certifications penetrations testers should hold include Council of Registered Ethical Security Testers (CREST), Open Web Application Security Project (OWASP), Offensive Security Web Expert (OSWE), Offensive Security Certified Expert (OSCE), Offensive Security Experienced Penetration Tester (OSEP) and Offensive Security Exploit Developer (OSED). NV1 security clearance is also another way to ensure your consultant has been vetted by the Australian Government.
The testers need to be certified as well as experienced to provide you with thorough results.
ITSEC Australia swap our Engineers for retests and ongoing scheduled client testing to ensure that even as one provider, we are giving our clients the best opportunity to identify vulnerabilities before cyber criminals do.
Please reach out to ITSEC Australia if you would like a no obligation review, scope and price for your next test by emailing info@itsec.com.au.
October 24, 2022