Penetration Testing Quote — UK Buyers Guide

This document provides 5 useful, short, to the point concise tips for anyone looking to purchase a pen test or procure penetration testing quotes in the UK.

Penetration Testing Certifications

When approaching companies for penetration testing quotes, two certifications stand out the OSCP (Offensive Security Certified Professional) and the CREST Certified Tester (CCT) which has two options CREST Certified Web Application Tester (CCT ACE) and the CREST Certified Infrastructure Tester (CCT ICE).

CREST CCT Certification Overview

The CREST CCT requires passing a multiple choice + long form (essay style) questions and a final practical exam where a penetration tester is assessed against practical challenges designed to push senior level penetration testing consultants to their limits.

OSCP Certification Overview

The OSCP certification takes a slightly different approach as the course is online, with access to a large multi subnet training lab to help prepare you for the final 24 hour long exam, where a penetration tester has to perform a capture the flag style examination. After the 24 hour exam completes, a candidate has an additional 24 hours to submit a full severity ordered report.

Image source: https://www.aptive.co.uk/penetration-testing/

Example Reports

Always request example reports, it’s recommended you ask for example reports for the same or a similar type of penetration test.

For example, if you are contacting pen testing companies for web application penetration testing quotes, request example web application penetration testing reports.

When reviewing example reports, you want to assess the testing has been conducted manually, ensure they are not vulnerability assessments being sold as a penetration test.

Manual Penetration Testing

As mentioned above, ensure all pen testing is conducted manually, automated tools will be part of this process however the test should be conducted manually by a skilled and qualified consultant. The manual element allows a penetration tester to combine discovered vulnerabilities or security issues and leverage a higher severity finding or gain access to the system.

Advancement (pivoting) is a another key part of a penetration testing engagement that is missing from a vulnerability assessment. Pivoting allows a penetration tester to gain a foot hold within the target organisation though a machine, application or server compromised during a penetration test. From the compromised machine a pen tester is able to launch attacks, perform privilege escalation or data exfiltration from the target organisation.

Penetration Testing for PCI Compliance

PCI DSS 3.0 onwards requires a penetration test that meets industry-approved methodologies such as the NIST SP800–115.

PCI DSS 3.2, section 11.3 specifies a requirement to implement a penetration testing methodology that includes the following:

• Is based on industry-accepted penetration testing approaches (for example, NIST SP800–115)
• Includes coverage for the entire Cardholder Data Environment (CDE) perimeter and critical systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results

For more information see Aptive’s page on PCI penetration testing, which explains in detail the requirements for a PCI DSS 3.2+ penetration test.

Review the Pen Testing Methodology

Before accepting a pen testing quote always request a copy of the 3rd party penetration testing companies pen testing methodology and it review that it meets industry-accepted testing methodologies or frameworks such as NIST or OWASP for application penetration testing.

If you need any help / advice or need a penetration testing quote, feel free to reach out https://www.aptive.co.uk/penetration-testing/