Our blog

Six tips for choosing the right penetration-testing partner


06 December 2016

Bas de Graaf

Blogs by author: Bas de Graaf, Head of Product Management, Security Consulting, BT.


Penetration testing is integral to security. But choosing the wrong partner could have significant implications, as Bas de Graaf, of BT’s Ethical Hacking capability, explains.

Buy cheap, buy twice (and then some).

Penetration testing is an area of cyber-security investment where you really can’t afford to cut corners. Yes, there will always be the temptation to spend as little as possible — that’s only natural. But when it comes to cyber security it’s not so much a case of ‘buy cheap, buy twice’ — it’s more ‘buy cheap, get hacked, say goodbye to your reputation’.

The reason is this: the less you pay for penetration testing, the more likely you are to get a service that doesn’t have the skills or expertise to keep you secure. Just about anyone can run a tool that scans your network or applications, but it takes someone with years of knowledge and experience to effectively interpret what this means for your security. There are also certain vulnerabilities that cannot be detected by automated tools, and these could pose a major threat to your security.

Some penetration-testing companies, for example, can’t keep themselves secure — and that opens you up to risk.

When ethical hackers get hacked.

One example from last year was the hacking of Italian security firm, Hacking Team.

Hacking Team, a company that provides a variety of cyber-security services, had its systems broken into and its data shared online.

The question this begs is: how can you trust a security company that can’t secure itself?

What to look for in a penetration-testing partner.

Choosing the right partner to keep you secure isn’t an easy choice. To help you make an informed decision, here are my six tips on what to look for in a penetration-testing partner.

1. Check that the testing company’s personnel are thoroughly screened (with background checks etc.). And make sure there’s an ongoing screening process in place (so their staff aren’t just screened once). It’s also important to make sure this process applies to anyone who manages central IT resources, which might be used to store your test results. This includes logs, screen shots and other evidence gathered during the testing activities.

2. Find out what the tester does with your data. Is it protected carefully? Have they taken the right precautions when storing and processing your sensitive data? Are processes and procedures in place to enable these precautions? Ask about data classification, data protection, data retention and disposal.

3. Make sure that the tester can prove that quality work is delivered. Anyone can perform testing and say “it looks okay, we didn’t find any real issues”, but does that mean nothing was there to be found? No. Your potential partner needs to prove that they’ve been thorough.

4. Make sure your potential partner can expertly explain how to mitigate or eliminate any vulnerabilities that were found. If your partner does find problems, you get absolutely no value from that service if you can’t act on those results.

5. Can the tester provide ongoing advice on how to stay secure, as part of a trusted partnership? Building a strong partnership with a provider makes life easier for your organisation down the line, so it’s important that you know your relationship will last.

6. And finally, you need to know that the provider can perform rigorous and effective penetration testing — using a proven testing methodology.

An easy way to tick the boxes.

Now, I understand that finding a company which meets all those requirements might sound like a tall order. But in reality it’s simple. All thanks to CREST.

CREST is a not-for-profit organisation that accredits cyber-security companies. CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skills and competence in the latest vulnerabilities and techniques used by real attackers. CREST, working alongside the Bank of England (BoE), government and industry, has also developed the STAR (Simulated Targeted Attack and Response) framework for controlled, bespoke, intelligence-led cyber-security tests.

Put simply, if a company is accredited by CREST, then you know that you’ll get the best service available.

Our role in your cyber security.

I’m pleased to say that BT Security has a CREST STAR accreditation. So if you do need penetration testing from a reputable company, we’re more than qualified to do it. Our highly-skilled consultants hold industry certifications including: CISSP, CISA, OSCP and CREST.

Take a look at CREST’s buyers’ guide to penetration testing for more information.

And to find out more about what we offer, take a look at our ethical hacking services website.