Is There Such Thing as an Approved Penetration Testing Company?

Is there such thing as an “approved” penetration testing company? This is something we get asked quite often. Unfortunately, there is no overall industry accreditation that is required for firms to be able to conduct penetration testing. There are, however, certain designations that firms can receive for certain types of audits that may require penetration testing, as well as certain accolades that the engineers themselves can, and should, hold in order to perform penetration testing. Today we will explore the different designations that exist.

Firm Level Designations:

  1. PCI Qualified Assessor (“PCI QSA”)
  2. FedRAMP Third-Party Assessment Organizatiom (3PAO)
  3. HITRUST CSF Assessor

PCI Qualified Security Assessor (“QSA”)
Companies with this designation are the only companies that are certified to formally assess compliance to the PCI DSS standard. This designation requires the company to be assessed thoroughly by the PCI Council over a 3 month process and meet very specific requirements. As stated on the PCI website, “Because the quality of PCI DSS validation assessments can have a tremendous impact on the consistent and proper application of security measures and controls, the PCI Security Standards Council’s QSA qualification requirements are exacting and detailed, involving both the security companies and their individual employees.”

FedRAMP Third-Party Assessment Organization (“3PAO”)
The Federal Risk and Authorization Management Program is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud service providers (CSPs). Any assessment for FedRAMP compliance must be conducted by a FedRAMP 3PAO.

HITRUST CSF Assessor 
CSF Assessors are organizations that have been approved by HITRUST for performing assessment and services associated with the CSF Assurance Program and the HITRUST CSF, a comprehensive security framework that incorporates the existing security requirements of organizations.

Engineer Designations:

The below are only a few of the most popular certifications that you are likely to come across in the industry, and this is by no means an exhaustive list. Additionally, certifications alone do not make an individual qualified. You should always consider things like formal education, experience, and specialties depending on the types of assessments or penetration testing you’re looking to have performed. 

  1. Offensive Security Certified Professional (OSCP)
  2. Certified Ethical Hacker (C|EH)
  3. GPEN – GIAC Certified Penetration Tester

Offensive Security Certified Professional (OSCP)
The OSCP signifies a penetration tester that has gone through one of the most rigorous and realistic hands-on penetration testing exams that exists on the market today. This is one of the very few certifications that requires an individual to do real hacking in a lab environment, giving an individual 24 hours to break into 5 machines, escalate their privileges, and grab flags. Then the candidate has another 24 hours to write up all of those findings, including screenshots, into a penetration testing report. There are no multiple choice options here, which is one of the reasons that this certification has quickly become one of the most sought after for professionals in the industry. It should also indicate to you, as a consumer of penetration testing services, that a penetration tester has a substantial level of technical ability when it comes to network-level penetration testing and has proven it.  

Certified Ethical Hacker (C|EH)
The EC Council provides the Certified Ethical Hacker (C|EH) distinction to individuals who pass their certification program. Besides requiring 2 years of information security experience prior to attempting the exam, the CEH designation should indicate that an individual has some basic technical ability to use the core tool set required for penetration testers.

GIAC Certified Penetration Tester (GPEN)
The Global Information Assurance Council (GIAC) offers the GIAC Certified Penetration Tester (GPEN) certification. This is an extremely comprehensive certification covering all of the fundamentals of penetration testing in the form of a 115 question, multiple-choice, 3-hour exam. A tester with this distinction has a solid baseline of knowledge regarding penetration testing methodology, best practices, and advanced testing techniques. GIAC is one of the most well-respected training and certification organizations, offering ANSI-certified programs.  

As part of the vetting process when looking for a penetration testing firm, we highly recommend that you see the biography of the engineer(s) that will be working on your project to ensure they have at least one or more of the mentioned designations above. If they do not hold any of these, it should be an immediate red flag and we recommend you request a more qualified engineer or switch firms altogether. At the end of the day, this is the engineer that will be performing testing that requires extensive knowledge and you want to ensure they have the proper skills and training.