Matthew Albertson runs engineering at a FinTech company called Shortsighted Capital. Shortsighted facilitates large transfers between individuals and companies, particularly for making one time payments.
We caught up with Matthew to ask him about how he thinks about finding the right penetration testers.
Our question: “Since security is clearly a concern, how do you ensure that your penetration testers do a great job?”
His response started: “Well, the very most important thing is making sure that the penetration testing team is certified. With that, I’m just so glad I know what I can expect from my penetration testers. I know they really know how to use the scanner and can reliably pass a certification exam. I also know that the practical environments they test in are just like mine. I know the content they certify on is kept well up to date and that the tests are very rigorous.”
He continued: “When I get the colorful report, I just know that they spent a lot of time working on it. Since that’s what I need to give to the auditor, that’s really one of the most important artifacts.”
Matthew clearly believes certifications are the future in establishing strong security credentials.
The jury is out though, since scanning is pentesting maybe the long term draw of certifications is limited.
Our observation is that many elite hackers post their certifications on forums so that everyone knows how badass they are.
We would also note, that many recent hacks were perpetrated by organizations with many registered certified hackers.
Asked if he thought the pentesters had tried guessing his credentials and testing unauthorized transfers, Matthew said: “Oh no, my account was fine months after they tested. Here, I’ll show you my $1M+ balance … oh wait, it just got transferred yesterday. … “