Quality Assurance in Pentesting: Tester Accreditation

In the most recent article in my “pentest quality” series, I discussed how it really does take a village to ensure quality in pentesting. In this article, I will focus more on the main player, the pentester, who is responsible for the hands-on keyboard activity.

In my opinion, the best pentesters are creative, inquisitive, dedicated, fearless, and lifelong learners. The security field is ever changing, and a great pentester needs to keep up with not just vulnerabilities, but the overall technology field, including development, infrastructure, frameworks, etc., in order to be an effective ethical hacker.

Let's chat about how we can verify what a pentester knows and feel comfortable with their skills and the approach they will take.

Pentester Certifications:

I have seen my fair share of individuals working in this field and can attest that the best pentesters aren’t always those that hold all the certifications, or have a college degree in the field. While attaining a certification does relay your ability to learn, retain information, and pass a test and/or practical, it does not always relay your approach to learning and keeping up with the latest trends in security.

As a matter of fact, some of the most popular certifications do not require you to renew or re-test. Once it is yours, it is yours forever. This means that we, as buyers, hiring managers, and team leaders, are putting a lot of faith in certifications that can, and do, become stale shortly after attainment.

Certifications don’t tell the full story. Instead, it’s important to consider how testers are vetted and onboarded and how they work to keep up with their skills and relevancy. Working to verify a tester can investigate security flaws well isn’t easy, and can be costly and time consuming.

Pentester Skills

Below are a few approaches I have seen be successful in vetting pentester skills:

For organizations that have internal security teams:

• Stand up a virtual environment (or partner with a provider) with multiple purposefully vulnerable applications, network segments, and operating systems. Provide a reasonable amount of time (48+ hours) and have the candidate attack and report on the environment flaws.
• Implement a continuous learning initiative and set aside a sufficient budget to allow for one or more training classes per year. Keep individual contributors accountable for their continued growth, make it a goal and track their progress.
• Require your team members to give back. Provide them opportunities to share what they have learned with the rest of the team. Teaching is a great way to cement knowledge and build better working relationships with peers.
• Hold recurring events, like capture the flag, or hackathons, where team members work collaboratively. Pair more experienced testers with those who have gaps or are just starting out.
• Incentivize the above activities to increase interest and participation and to make it fun for everyone.

For organizations that off-load security testing to partners:

• All of the above should be true for the testers your partners use.
• Additionally, your partners should have recurring training dealing with at least:
  • Data management and information disclosure
  • Security awareness (yes, even security professionals get socially engineered!)
  • Confidentiality, integrity, and availability (you know the triad!)
  • Responsible vulnerability disclosure

The above lists are not all-inclusive, but they should give you an idea of how to make sure the pentesters investigating your environments are keeping up to speed with the technologies they are testing.

Don’t get me wrong, certifications can be a good way to find talent, and they should be celebrated when attained by members of your team (I’ve held my fair share). There are times when specific certifications are needed, like PCI compliance or for other types of testing for regulatory entities.

However, the majority of the time, you should be looking for experienced testers in the technologies that are present in your environments. That experience will go a lot farther than a one-and-done certification ever will. Look for creativity, thoroughness, and that life-learner trait as an indicator of the tester’s ongoing capabilities.

In the next installment of my article series, I’ll talk about keeping pentesters focused on what they do best: hacking. In the meantime, do you have anything to add to my list? Or anything to share about any of the other articles in this series? Did I miss anything you find absolutely essential when hiring or vetting pentesters? Send me your thoughts at [email protected].