Helping you to conduct effective, value-for-money penetration testing, this guide is designed to enable your organisation to plan for a penetration test, select an appropriate third party provider and manage all important related activities.It presents a useful overview of the key concepts you will need to understand to conduct a well-managed penetration test, explaining what a penetration test is (and is not), outlining its strengths and limitations, and describing why an organisation would typically choose to employ an external provider of penetration testing services.
- 77 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Penetration Testing Services Procurement Guide
About this book
Trusted by 375,005 students
Access to over 1 million titles for a fair monthly price.
Study more efficiently using our study tools.
Information
Subtopic
Cyber SecurityIndex
Computer SciencePART I: INTRODUCTION AND OVERVIEW
About this Guide
This Procurement Guide (the Guide) provides practical advice on the purchase and management of penetration testing services, helping you to conduct effective, value-for-money penetration testing. It is designed to enable your organisation to plan for a penetration test, select an appropriate third party provider and manage all important related activities.
The Guide presents a useful overview of the key concepts you will need to understand to conduct a well-managed penetration test, explaining what a penetration test is (and is not), outlining its’ strengths and limitations, and describing why an organisation would typically choose to employ an external provider of penetration testing services.
 | While the main focus of this report is to help organisations procure penetration services from external suppliers, it will also be useful for organisations who decide to undertake penetration tests themselves. |
Presented as a useful five stage procurement approach, the Guide then provides advice and guidance on how to:
- Determine business requirements for a penetration test, considering the drivers for testing, the purpose of testing and target environments.
- Agree the testing scope, approving testing style and type and assessing testing constraints.
- Establish a management framework to assure quality, reduce risk, manage changes and problems and agree contract.
- Plan and conduct the penetration test itself, which consists of conducting research, identifying vulnerabilities, exploiting weaknesses, report finding and remediating issues.
- Implement an improvement programme to address weaknesses, identify lessons learned, instigate actions and agree an approach for future testing.
Finally, the Guide highlights the main criteria to consider when choosing an appropriate external provider of penetration testing services (referred to as ‘the supplier’). The six key selection criteria for choosing a suitable supplier of penetration testing services are highlighted in Figure 1 and explored in more detail in Part 4 – Choosing a suitable supplier.
Figure 1: Key selection criteria for choosing a suitable supplier of penetration testing services
Purpose
The purpose of the Procurement Guide is to help you to:
- Understand objectives for conducting a penetration test;
- Gain an overview of the key components of an effective penetration testing approach;
- Determine whether or not to conduct a penetration test;
- Assess the need to outsource the undertaking of a penetration test;
- Identify what needs to be considered when planning for a penetration test;
- Consider the different types of penetration tests that are available;
- Learn about the penetration testing process – and associated methodologies;
- Determine criteria upon which to base selection of an appropriate supplier.
Scope
This Guide is focused on helping your organisation to choose the right supplier, at the right time, for the right reasons. This Guide is designed to help organisations procure penetration services from external suppliers, but will also be useful for organisations conducting penetration tests themselves.
| There are often special requirements for penetration testing service providers, for example when supplying services to UK Government departments. Organisations supplying services must have CHECK ‘green light’ clearance from CESG. Although these specific requirements are out of scope for this guide, they are typically covered by the contents of this Guide anyway. Further information on CHECK can be found at: www.cesg.gov.uk/site/check/index.cfm. |
Rationale
Organisations have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat to key systems is ever increasing; the probability of a security weakness being accidentally exposed or maliciously exploited needs to be continually assessed – such as via a penetration test – to ensure that the level of risk is at an acceptable level to the business.
Much of the material in this Guide is based on the findings of a research project – conducted by Jerakano Limited on behalf of CREST – about the main requirements organisations have for considering and conducting penetration tests. One of the main reasons for commissioning a research project was that the customers of CREST members were often unclear about how to best procure penetration testing services.
| A summary of CREST activities can be found at www.crest-approved.org/. Where relevant, CREST benefits are also highlighted throughout the Guide. |
| For ease of use, where key points in this document refer to the findings of the research project, they are signposted by one of these ‘Project Finding’ boxes. |
The research project was based on:
- Reviews of relevant material produced by industry bodies, including CPNI, OWASP, OSSTM and PTES (see following Tip and Appendix C for more details);
- Desktop (mainly web-based) research;
- Analysis of responses to a questionnaire about various topics associated with procuring penetration testing services;
- Interviews with leading suppliers of penetration testing services;
- Case st...
Table of contents
- Cover
- Title
- Copyright
- Table of Contents
- A structured approach for procuring penetration testing services
- Part I: Introduction and overview
- Part II: Understanding the key concepts
- Part III: Adopting a structured approach to penetration testing
- Part IV: Choosing a suitable supplier
- Case study – Banking
- Case study – feedback on the CREST complaint process
- CREST balanced scorecard
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Penetration Testing Services Procurement Guide by CREST in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.