Wednesday, August 3, 2011

Consultancy and Software Testing For Information Security: What To Look For

Have you been given the task of finding a company to perform consultancy and software testing for your firm's computer security?  If you have no previous experience with information security consultants, it can be difficult to know what to look for. Here are a few tips to help you compile a shortlist of firms.

·    Find out from the consultancy what certifications their software testing experts have gained. For penetration testers, look for certificates from CREST (CSTA or the more advanced CSTP), GIAC (GPEN and GWAPT), or EC-Council (CEH).

·    Ask the consulting firm what type of vetting they apply when hiring for software testing jobs. You need to be sure that the people accessing your network and computers do not have a criminal record, do not have a history of "black hat" hacking, and are committed to the highest professional standards of integrity and confidentiality.

·    Obtain a list of past software testing clients from the firm of consultants, and contact them for references. This will yield a lot more information than simply reading the firm's website or publicity material.

Check that the firm offering consultancy and software testing is a member of the relevant industry bodies. In the case of information security, this might include the UK's CLAS (CESG Listed Advisors Scheme) or CHECK scheme, or the world-wide CREST (Council of Registered Ethical Security Testers).

·    Look for indicators of the highest professional and ethical standards in application testing on the part of the consultancy. Does their website have a page setting out their company values and mission statement? Do their brochures and publicity material mention a recognised set of company values? If so, at least they are aware of the need for these standards.

·    Price is not the best criterion. The lowest price might point to a firm that cuts corners in software testing, or which does not spare the time needed to stay current with best practice in the field. Get quotes from several consultancy firms, to gain an idea of the going rate. Reject firms that quote a price very much less than the going rate, for the same scope of work: this could be a sign of an unreliable software testing consultancy.

·    Finally: try to get some personal contact with the consultants, either through a telephone call or, even better, a face-to-face meeting. Quite often your "gut feeling" will tell you what no amount of research could unearth!

It's not an easy job to select the best consultancy for software application testing, especially when you have no background in the field.  But a few common-sense guidelines, like those above, can go a long way towards making the task easier. With a bit of luck, you'll soon have just a few names on your shortlist.  One of these will probably be the best consultancy firm for you: good luck!

About the Author

                           

No comments:

Post a Comment