Checklist to pick a qualified security partner.
- Is your security partner recognized by any government bodies ?
- Does it have specialized/certified staff to perform security assessment services?
- Companies that are specialized on security-services often outsource penetration tests. Always scrutinize if pentester is of their own and not contracted employee.
- Do you know if they have your domain expertise ?
- Validate if the security report is certified by Internation/National organizations like CERT-In, CREST and so on?
- Do they provide a certificate to be attached to your application?
- If answer is no, but they are CERT-In certified don’t buy it. Just ask for accreded organization certificate to be posted on web or application as proof.
- Would they provide annual or quaterly services ?
- Check if they would security assessment coverage is based on OWASP TOP 10 and SAN TOP 25.
- Check if they follow PTES standard or OSSTMM standard methodologies ?
- Check if they provide other services like source code recurity review, Malware analysis and reverse engineering.
- Capacity of the team for your project decieds timelines and quality, check if they have the good number of qualified staff.
- How many itterations would be covered in case you take a package of services?
- Do you know them from providing other services to you ?
- If yes, chances are they would contract/outsource pentest work.
- Companies who research dedicatedly on latest hacks and campaign security issues would be right fit. Even if it’s a startup with certifed and experinced staff.
- Most highly qualified penetration testing providers run a blog where they provide technical details of security vulnerabilities and research they have recently conducted.
- Even within qualified companies, expertise between individual people can vary significantly. To get the most out of a penetration test, try insisting to get senior security consultants, ideally folks credited with having found security vulnerabilities or who presented at conferences.
Methodology and Standards:
Accredations and recognition :
Different types of security tests performed:
The below table describes the most common types of security testing that may be needed to become a security partners quaterly and annually.
|Vulnerability Scan||Static Source Code Analysis||Penetration Test||Source Code Audit|
|Purpose||Identify known vulnerabilities based on pre-configured signatures.||Identify a specific set of vulnerabilities in source code.||In-depth, manual security assessment of a defined scope.||Very in-depth review of a single application/product.|
|Benefits||Fast way to identify misconfigurations and missing security updates. Since these scans are automated, they can be run often and complement a vulnerability management process very well.||Fast way to identify vulnerabilities newly introduced into code.||Can identify previously unknown vulnerabilities. Very low false positive rate. Can find subtle logic errors that lead to security issues. Can follow vulnerability chains (exploiting vulnerabilities to identify further issues). Humans are still best at assessing risks.||Can identify pretty much all types of vulnerabilities and security weaknesses in an application’s code. Also able to identify design issues and recommend improvements.|
|Limitations||Vulnerabilities in custom or uncommon software cannot be identified. Only finds vulnerabilities a signature has been created for. False positive rate is often very high.||Still in its infancy. Usually reports a very high number of false positives making it hard to identify real findings. Limited support for discovery of logic errors (which includes entire classes of vulnerabilities, such as authentication bypass, some types of privilege escalation, etc.)||Time intensive and expensive. Quality highly dependent on provider. Scoping often dictates the quality of the test.||Very time intensive and expensive.|
Unauthenticated vs. Authenticated Testing
|Unauthenticated Testing||Authenticated Testing|
|Definition||Considers that the testers have no knowledge of the environment under test. No credentials are provided to the testers.||Testers have full access to information about the platform being tested. This often includes accounts (including administrative users), and access to discuss functionality with developers during the testing process.|
|Level of detail||Low||Medium/High|
|Benefits||Simulates casual attackers and automated attacks on the first line of defense within an application. Does not require a high level of expertise to perform, no knowledge of the business logic is required.||Detail orientated testing, including business logic type issues. More likely to find issues that would otherwise not be discovered during code audit, unauthenticated testing, or automated scanning alone. Can be useful in testing monitoring and alerting capabilities when used in coordination with an internal IR/Monitoring team exercise.|
|Limitations||Often misses issues that require knowledge of the application or infrastructure, or require a minimum level of access as a user.||Can take additional resources from the development team, as well as testers. Often requires more experienced testers due to the increased complexity and type of issues.|