Most managers consider switching providers for penetration testing as best practice. Typically, this allows the quality and quantity of the different providers to be compared if the same attack vectors are tested. A small amount of additional work may be required, as the new analyst first needs to be familiarized with the given system, but this is positively reflected in the gain in insight. It is also common practice that penetration tests are commissioned from providers who have specialized in certain segments.
Ideally, no information about penetration tests that have already been carried out should be passed on to the future service provider, because this way a cross-company dual control principle can be initialized, in which other methods, experience and tools are also incorporated. For example, we also use our own scanners as an addition to the current un- and commercial tools on the market. We believe that experts have better niche knowledge than generalists, because they often have to perform other tasks in parallel. Penetration testing should never be contracted out to a company that has acted as a solution architect. Their developers may be blind to some aspects of their work, so we always recommend unit testing, peer code reviews and quality assurance.
Advantages for a change
- Comparison of quantity and quality
- Different methods for more insight
- Principle of dual control among service providers
- New findings and a different perspective
- Avoid operational blindness
We see the need for an information barrier between the various penetration testers. This allows an objective and multi-layered evaluation of the underlying system. The client can thus compare his findings better and obtain new perspectives.