Today we’re going to talk about a question that seems to be coming up more and more in the security and penetration testing world, even though it’s been around in the technology and software development world for quite some time. Does it matter if I use an offshore penetration testing company? It doesn’t matter who starts an “automated scan” and spits out a report right? While suppressing the rage induced by someone calling a full penetration test a scan, I can say that there are definitely some things you should consider before outsourcing your penetration testing requirements to an offshore company or any company that uses offshore resources/contractors.
What’s the Big Deal About Using an Offshore Penetration Company?
I’m sure there are some great penetration testing companies that are using offshore resources and I know there are great companies that are headquartered places besides the United States, so this isn’t intended to be a derogatory post in any way. The things that apply when making a decision about any penetration testing company you might be choosing to work with will apply here, too. The main difference is that some of these problems may be exacerbated (due to things like language barriers) and some things may be more difficult to verify (background checks, certifications, etc.).
The reason all of this may seem so complicated and nerve-racking when choosing a penetration testing company is primarily due to the fact the industry is still pretty young in the grand scheme of things. There is no official distinction or approval or certification you need to get to become a penetration testing company and start offering security consulting or penetration testing services. So an offshore penetration testing company may just be a little more difficult to properly vet, depending on how much information they are willing to provide you. Here are some things that you should consider when making this decision:
- Communication Issues – I’m not talking about just a language barrier, although that can make a lot of things more difficult. Reporting may be in a different format or explained differently than what you are expecting or are used to due to cultural differences. The reports provided may not be presented to you by the people that actually did the testing, due to time zone differences. And finally, time zone differences can also extend length of testing and documentation that is required to complete a project, due to issues troubleshooting or transferring scoping information. These communications issues may not concern you as much or may be worth the lower price point, but should be considered.
- Difficult to Vet Resources – Things like background checks, criminal records, and certification validation are all more difficult with offshore resources. You should always consider the question of who is doing my penetration testing? What is the experience level of the test team, what certifications do they hold, and what is their level of education? Penetration test results are only as good as the tester that worked on the project, unfortunately. And while we always provide biographies for the engineers working on your assessment project, a lot of other companies don’t. Ultimately, while there are plenty of offshore resources that are fantastic penetration testers, it may to hard to know if you’re getting an expert or a novice.
- Hard to Tell the Quality of Test You’re Getting – Speaking of how it’s hard to know what you’re getting from a resource perspective, it’s also difficult to tell if whoever did your penetration test do a good job. Most people engaging a third-party company to perform penetration testing are not experts themselves (although some are and just need third-party validation), and if you receive a clean report, is that a good thing or a bad thing? Are you really secure or were vulnerabilities missed? So while it may be cheap, there may be a ton of stuff being missed and it’s just really hard to tell.
So to wrap all these considerations up, what are you supposed to do? Is it OK to use an offshore penetration testing company or should you not? Well, at Triaxiom we do not use offshore resources or contract out any of our penetration testing work because of our high standards for quality and core values of quick and effective communication with our clients. But that doesn’t mean they are bad of ineffective, and a lot of times they are probably cheaper. It just means that you’ve got to put a lot more time and effort into due diligence before engaging those companies to make sure you’re going to get a thorough test, a capable engineering team, and a high quality product.