There is the issue of protecting the most critical data of the organization; therefore, the role of a penetration tester is much critical, a minor error can put both the parties (tester and his client) on risk.
Therefore, this chapter discusses various aspects of a penetration tester including his qualification, experience, and responsibilities.
Qualification of Penetration Testers
This test can be performed only by a qualified penetration tester; therefore, qualification of a penetration tester is very important.
Either qualified internal expert or a qualified external expert may perform the penetration test until they are organizationally independent. It means that the penetration tester must be organizationally independent from the management of the target systems. For example, if a third-party company is involved in the installation, maintenance, or support of target systems, then that party cannot perform penetration testing.
Here are some guidelines that will help you while calling a penetration tester.
Certification
A certified person can perform penetration testing. Certification held by the tester is the indication of his skill sets and competence of capable penetration tester.
Following are the important examples of penetration testing certification −
- Certified Ethical Hacker (CEH).
- Offensive Security Certified Professional (OSCP).
- CREST Penetration Testing Certifications.
- Communication Electronic Security Group (CESG) IT Health Check Service certification.
- Global Information Assurance Certification (GIAC) Certifications for example, GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), Advance Penetration Tester (GXPN), and GIAC Exploit Researcher.
Past Experience
The following questions will help you to hire an effective penetration tester −
- How many years of experience does the penetration tester has?
- Is he an independent penetration tester or working for an organization?
- With how many companies he worked as penetration tester?
- Has he performed penetration testing for any organization, which has similar size and scope as yours?
- What type of experience does the penetration tester has? For example, conducting network-layer penetration testing etc
- You may also ask for the reference from other customers for whom he worked.
When hiring a penetration tester, it is important to evaluate the past year testing experience of the organization for which he (tester) has worked as it is related to the technologies specifically deployed by him within the target environment.
In addition to the above, for complex situations and typical client requirements, it is recommended to evaluate a tester’s capability to handle similar environment in his/her earlier project.
Role of a Penetration Tester
A penetration tester has the following roles −
- Identify inefficient allocation of tools and technology.
- Testing across internal security systems.
- Pinpoint exposures to protect the most critical data.
- Discover invaluable knowledge of vulnerabilities and risks throughout the infrastructure.
- Reporting and prioritizing remediation recommendations to ensure that the security team is utilizing their time in the most effective way, while protecting the biggest security gaps.