RFP: Penetration Testing

Penetration testing is a good way to determine what weaknesses may be present in an organization's infrastructure. Here is a basic request for proposal that can assist with identification and remediation of security risks.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Penetration testing, which involves probing applications, operating systems and device configurations with the goal of gaining access to protected data, is a good way to determine what weaknesses may be present in an organizations infrastructure. This is among the first steps an organization can take to systematically eliminate risky configurations before attackers can exploit these openings.

To identify the right solution when creating an authorized hacking or pen-testing request for proposal, security administrators should have a good understanding of the risks the organization desires to mitigate, the business processes that will be probed and the level of security that will be tolerated to attain security goals after the pen tests are completed.

/zimages/4/28571.gifThinking like a hacker is an effective method to ward off attacks from malware writers. Click here to read more.

Here is a basic RFP that can assist with identification and remediation of security risks.


  • Pen-testing services and security consultants are only as good as the research teams and test probes that stand behind them, so its important to get a good read on the vendors and services providers under evaluation.
  • Besides pen testing, what other services does the organization provide? (More answers, especially those not directly related to security, are not necessarily better.)
  • How many years has the organization been engaged in pen testing?
  • What automated tools are used to perform the test?
  • Is the vendor or security consultant under consideration a security reseller? If so, what makes and equipment do they resell? (If the priorities of a given pen-testing vendor appear to be focused more tightly on pushing product than on offering an objective assessment, youll do best to look elsewhere.)
  • Please list the background and years of experience for the principals of the test organization. If possible, provide a curriculum vitae for the consultants who will be assigned to this project.
  • Does your organization use a methodology? If yes, does the methodology correspond to or exceed that of the Open Web Application Security Project or some other outside authority?
  • Can the organization provide customer references?
  • What is the organizations policy on confidentiality?
  • Does the organization use outside staff for engagements? If so, what contract for confidentiality is in place to protect penetration results from disclosure?
  • Is the organization bonded? What does the standard contract include to ensure privacy of test results?


Security consultants often use a combination of pen testing, scanning and vulnerability assessment tools. It is important to know what tools will be used and the possible effect the tools could have on your network and applications.

Like many drugs, pen-test tools have side effects that can be unpleasant. It is important to keep in mind that the results of a well-run test often outweigh these side effects. If no loss of productivity can be tolerated, then a pen test should not be run. However, this in itself could indicate other serious network, application and system management problems.

  • What tools will be used to assess our organization?
  • Core Security Technologies Core Impact
  • Metasploit Project
  • Tenable Network Securitys Nessus Vulnerability Scanner
  • eEye Digital Securitys Retina
  • Mu Securitys Mu-4000 Security Analyzer
  • IP protocol analyzer; if yes, please specify.
    • Insecure.orgs Nmap
    • Qualys QualysGuard
    • Snort, Sourcefire 3D System
    • BigFix Platform
    • PatchLink Scan
    • Rapid7s NeXpose
    • Cenzics Cenzic Hailstorm
    • Others

/zimages/4/28571.gifHow do you turn a small group of security pros into an organized online crime group? Read the six rules here.

  • What platforms can be tested?
  • Windows desktop operating system (Windows 98, Windows ME, Windows XP, Vista)
  • Windows Servers (Windows 2000, Windows 2003)
  • Unix
  • Linux
  • Apple
  • Mainframe
  • Describe basic techniques used to enumerate target systems.
  • Describe basic techniques used to footprint target systems.
  • What pen tests can be run against the target?
  • Operating system
  • Network
  • Internal applications
  • Web applications

/zimages/4/28571.gifLearning to think like your most common opponent isnt that hard. Click here to read more.

  • What reporting services are provided at the end of the test? ( (Provide sample reports of actual tests.)
  • What remediation services are provided at the end of the test?

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.