Penetration testing is a necessity with most software development today, because there are always people that are willing to transform your achievements into means of achieving personal gain by all means necessary. Unfortunately such people have brought up their heavy guns some time ago and are now extremely dangerous with the amount of knowledge they possess and regarding on how mankind is dependent on software today.
Penetration Testers are exactly the people that will assist you with this part of development by actually trying to penetrate your system. But with good intentions of locating various flaws that may have been missed while development took place. Still, how do you know whether a pen tester is worth something before actually hiring him? And what exact skills is he to possess? Let’s try to answer these question together.
- Soft skills. Communication skills are as essential to a good pent tester as tech skills or even more regarding he is to be able of explaining defects he has located to both your development teams that will understand all the tech-heavy words he will be using and to the less tech savvy business side so all may determine a clear path for eliminating such flaws together.
- A good Pen Tester has to inform you about defects one may reproduce rather than feeding your team with false-positives. If such a situation tends to repeat quite often you are to consider hiring a different tester for this position.
- Consider the tester’s reputation as you are basically hiring a hacker to break through your defenses legally and you will be paying him money for that. This is not a task you may trust everybody possessing a more or less valid CV with. Do your homework before hiring such testers and do it good.
- New flaws in software security that were previously unknown are emerging every day thus you would like your pen testers to be evolved into a related community as it is of the best ways for the tester to keep his skills up-to-date.
- Certificates are a huge bonus you are to consider as they are a great mean of proving any tester’s skills without spending time on making sure a tester has the required knowledge in practice. OSCE and SANS GXPN and similar certificates are to do the trick although in today’s world of self-education such certificates are to be considered a pleasant bonus and a starter advantage rather than the point that is affection your decision heavily.
- A good pen tester is always willing to go off pre-determined scripts and you are to consider this a good thing rather than a waste of time, money and effort. You never know where you may locate critical defects. Sometimes they are lurking in the most unexpected places.
Surely this is not a full list but this is a list of things that are 100% to be considered when you are thinking over a pen tester candidate.
Created: 12 Dec 2014
LET'S GET STARTED!