Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 18

Whether you choose to use internal staff or an external third-party company to perform the penetration test, it is critical you validate the qualifications of the individuals performing the penetration test prior to the engagement.

The first qualification to look for in a pentester is whether or not that person holds industry-standard certifications that prove the individual’s penetration testing knowledge. For example, you may require that all individuals performing a penetration test have their CompTIA PenTest+ certification.

However, certification is not enough. The pentester should also have prior experience performing penetration testing. Following are some questions to ask when hiring a third-party company to perform a penetration test:

 Does the penetration testing team have experience with prior penetration tests?

 Has the penetration testing team performed a penetration test against a similarly sized organization before?

 Does the penetration testing team have experience with the types of systems and platforms being used by the company?

 Does the penetration testing team have experience with network-layer testing (networking systems and configuration)?

 Does the penetration testing team have experience with performing application layer testing, and is it familiar with Open Web Application Security Project (OWASP) Top 10 validation techniques? (OWASP Top 10 is the top ten methods hackers are using to exploit web applications.)