Qualified internal resources or a qualified third party may perform the penetration test as long as they are organizationally independent. This means the penetration tester must be organizationally separate from the management of the target systems. For example, in situations where a third-party company is performing the PCI DSS assessment for the entity, that party cannot perform the penetration test if they were involved in the installation, maintenance, or support of target systems.
The following guidelines may be useful when selecting a penetration tester (or team) to understand their qualifications to perform penetration testing.
Certifications held by a penetration tester may be an indication of the skill level and competence of a potential penetration tester or company. While these are not required certifications, they can indicate a common body of knowledge held by the candidate.
The following are some examples of common penetration testing certifications:
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification (GIAC) Certifications (e.g., GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), or GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- CREST Penetration Testing Certifications
- Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) certification
Note: The PCI SSC does not validate nor endorse these certifications.
Appropriate penetration testing experience and qualifications cannot be met by certifications alone. Therefore, confirmation of additional criteria is necessary.
For example, review of the extent of actual engagements that have been performed and relevant work experience are important considerations when selecting a penetration tester or team. The following questions are examples for assessing the qualifications and competency of a penetration tester or team. This is not an exhaustive list:
- How many years’ experience does the penetration tester have?
If the penetration tester is in their first year of penetration testing, careful consideration should be given to the following questions to ensure the penetration tester has sufficient knowledge and is adequately trained to perform the penetration test. Consideration should also be given to the organization itself by verifying the training and QA processes to ensure penetration tester is qualified.
- How many years has the organization that employs the penetration tester been performing penetration tests?
References from other customers may be useful in consideration
- Has the penetration tester performed assessments against organizations of similar size and scope?
For environments with high availability constraints, unstable system components, or large infrastructures, it is important to evaluate a tester’s ability to handle those restrictions (bandwidth constraints, time constraints, etc.).
- What has penetration testing experience the penetration tester or team had with the technologies in the target environment (i.e., operating systems, hardware, web applications, highly customized applications, network services, protocols, etc.)?
When selecting a penetration tester, it is important to evaluate the past testing experience of the organization for which the tester works as it pertains to technologies specifically deployed within the target environment.
Even if the penetration tester has not performed an assessment of certain specific technologies, if the tester has managed, maintained, been trained on, or developed said technologies, the tester may still be qualified to perform the penetration test.
Note: An organization may want to consider having a development-environment lab where penetration tests can be performed outside of the production environment and internal resources can train and increase their experience to help both their skills and potential certifications.
The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker may be able to penetrate into the environment. Defining the success criteria for the penetration test allows the entity to set limits on the depth of the penetration test. Without agreeing with the point at which the penetration test is complete, there is a possibility of the tester exceeding the boundaries and expectations of the target entity.
Possible success criteria may include:
- Direct observation of restricted services or data in the absence of expected access controls
- Compromise of an intermediary device used by privileged users to access the CDE
- Compromise of the domain used by privileged users
- No compromise of the target systems
The success criteria will be different for every environment and should be established during initial pre- engagement meeting prior to testing.