Appropriate penetration testing certifications should be matched with evidence of experience of actual engagements that have been performed and the organisation’s training and QA processes should be designed to ensure that penetration testers are adequately qualified to conduct tests. References from other customers may be useful in consideration of this, along with case studies of assignments performed in similar environments to your own scope and target system technology.
Likewise, you should consider what penetration testing experience the penetration tester or team has with the technologies in the target environment (operating systems, hardware, web applications, highly customized applications, network services, protocols, etc). If that technology has availability constraints, unstable system components, or large infrastructures, it is important to evaluate the tester’s ability to handle these restrictions – e.g. bandwidth constraints, time constraints, etc.
Consideration should also be given to the other skills/qualifications that the penetration tester has that will contribute to their ability to assess the environment. Industry-standard qualifications, like the 7Safe certifications, will help in determining the specific type if experience that the tester has.
Discussion of examples of network penetration testing, and application-layer penetration testing, where appropriate, are recommended. What type of experience does the penetration tester have? You may also want to determine the tester’s familiarity with testing to validate the OWASP Top 10 and other similar application secure-coding standards and discuss examples of application penetration testing conducted by the supplier.