Organizations choose a Pen Testing company based on who has the best marketing material and smoothest salespeople. Obviously they do not realize they are doing it! Most of my career has been spent working at various web application penetration testing companies. So that is the focus of this rant.
After conducting web and mobile application penetration tests for years and billing for my insight, it seemed high time to give a bit advice for free. Other Pen Testing companies are going to hate me for giving you this information, unless they are actually a solid firm.
First of all, and this may be obvious, salespeople are NOT your friends. Legitimate companies automatically promote their own over the years and the managers / most senior pen testers end up doing sales. If there is not an SME on the call…. Hang up.
Before signing anything ask questions and try to trip them up! Come armed with questions and see the depth of their knowledge! Remember, they are likely bringing their best to impress you.
Basic Web App Assessment Questions
- There has been a lot of talk about SSI (server-side include) injection we are wondering how you check for these issues and if you see them very often, how serious are they?
- XXE (XML External Entity) is another area of concern for our developers. Could you tell us a bit more about this potential threat and maybe describe how such a vulnerability could impact our web application?
Web application penetration testing companies use the OWASP (Open Web Application Security Project) checklist. And we all check for the same issues over and over for every web app assessment. Therefore, any senior web application penetration tester will be able to answer basic questions such as these with little to no hesitation. However, if like many pop-up Pen Testing companies they are noobs and cannot answer basic questions….run! Legit web app pen testers will provide your company with more value than their slicked back haircut will.
Web App Testing Certifications
Certifications are great for penetration testers getting into the industry and to some extent show an individual is at least halfway competent, depending on the web app Pen Testing certificate. Though to be honest, most of the best pen testers have no degree or certifications. Think back to high-school and the “passion” many people had. Those were the days. Haha.
GWAPT (GIAC Web Application Penetration Tester)
This certification is as of writing still the most well-known web application Pen Testing certification. Those of us that have been doing app testing for very long have either taken course and the test or unofficially done so via coworkers. This is very basic material; ANYONE can pass this course. Does not mean much. Just that their company was willing to spend a few grand.
OSWE (Offensive Security Web Expert)
An individual with this cert is probably a legitimate web application penetration tester. However, this mostly means the Pen Testing company they work for was more willingly to pay for the course than an individual without it. As stated previously most of the HIGHLY skilled testers have no certifications because they were not needed (or in some cases around) when we started. Why spend thousands of dollars on certifications if we do not need to?
University / College Degree
Meh, this means very little and may even be a negative (joking). Brace yourself here comes a very controversial thought… if they cannot hack the system how can you expect them to hack the planet? Again, somewhat joking, but honestly my colleagues teach and write the college curriculum. Have you ever hired someone fresh out of college? You know what I mean.
Whatever pen testing company you hire, you are giving total control and access to everything. Think about that. If your application is important enough to conduct a web application assessment, then you certainly want to make sure you are not hiring criminals posing as a security firm. For example, here in America computer crimes are not tolerated and ethical hackers make too good of a living pen testing web applications to risk incarceration. Risk vs reward.
When vetting web app PenTesting companies.
- Ask questions
- If they act like a politician and avoid answering the question, they do not know the answer. Run!
- Helpful, but these are just to help pen testers to get their foot in the door when starting out. Sufficiently senior pen testers often do not have them.
- Four-year degree equivalent to six (6) months of experience?
- Offensive security might have made me a bit paranoid. But personally I’d never hire a pen testing company that couldn’t be arrested if they turned out to be criminals.