How to Vet Penetration Testing Companies: Lessons from a Missed SQL Injection Vulnerability

The user describes a disappointing experience with an external penetration testing company that missed a critical SQL injection vulnerability in their transaction API, which their internal team found in just 20 minutes. The external company spent three weeks testing and delivered a 70-page report filled mostly with automated scanner results, known misconfigurations, and generic recommendations. This highlights a significant issue in the pentesting industry: the quality and thoroughness of external pentests can vary widely.

To vet penetration testing companies effectively, consider the following factors:

1. Published Research and CVEs: Companies that contribute to the security community by publishing research or discovering CVEs are likely to have skilled professionals capable of finding non-obvious vulnerabilities.

2. References and Reputation: Seek references from other companies or pentest managers to gauge the quality of a pentest company. A strong reputation in the industry is a good indicator of reliability.

3. Methodology and Approach: A robust pentest should include both automated and manual testing. Companies that rely too heavily on automated tools may miss critical vulnerabilities that require human insight.

4. Certifications and Qualifications: Look for companies with certified professionals (e.g., OSCP, CISSP, CEH). However, certifications should be backed by real-world experience and a proven track record.

5. Sample Reports: Request sample reports to assess the depth and quality of the company's work. A good report should include detailed findings, proof of concepts, and actionable recommendations.

6. Engagement and Communication: Evaluate how well the company communicates during the engagement. Responsiveness and willingness to discuss findings in detail are key indicators of a professional and thorough service.

The technical implications of this scenario are significant. Missing a SQL injection vulnerability in a financial application is a critical oversight, indicating a lack of thoroughness or expertise. This underscores the importance of selecting a pentest company that employs skilled professionals capable of manual testing and deep analysis.

The impact on the cybersecurity landscape is clear: not all pentest companies are created equal. Companies must carefully vet external pentest providers to ensure they receive a thorough and insightful assessment of their security posture. Relying on automated tools and generic reports can lead to a false sense of security and leave critical vulnerabilities unaddressed.

From an expert perspective, a good pentest company should have a proven track record, employ skilled professionals, provide detailed and actionable reports, and be transparent about their methodology. Additionally, they should continuously contribute to the security community through research, CVE discoveries, or speaking engagements.

Actionable advice for the user includes asking for references, reviewing sample reports, checking for community contributions, evaluating the company's methodology, looking for certifications and experience, and conducting a pilot test before committing to a full engagement.