- Is there some "standard" penetration methodology or process out there?
- I'm sure, if it's like any other industry - there's tons of "standards" out there... But which ones are the "biggies" and how would one know if someone did a good job?
- Are there firms that "audit" the pen-testing companies?
There are two well known "pentesting" frameworks. ISSAF (http://www.oissg.org/downloads/issaf-0.2/index.php
) and OSSTMM (http://www.isecom.org/osstmm/
). Without getting too much into politics, I wouldn't bother with ISSAF since it hasn't been taken serious since 2006 which is a long time for new things to "happen." OSSTMM provides the most information for getting the job done correctly however, it has never really taken off here in the United States.
As for remediation, most companies clarify differences in their SOW's. Some companies steer clear of offering "fixes" for the sake of remaining unbiased in their findings. Some companies offer both a remedy and a cure however, companies that do so run the risk of being viewed as having an agenda. For example, if I told you "I can reach SMB ports, there is a potential for an attack... I can fix it for you for ..." How would you react versus: "It's possible to reach SMB ports" At that point it is at your discretion to act upon it. Validate SMB is vulnerable or go about "business as usual." In the former: "... i can fix it for you" there is a connotation of "slick willie talk" if you ask me.
Anyhow, I'd suggest learning OSSTMM, NSA IAM/IEM methodologies and incorporation them into your own framework. I usually use those to frameworks in a mesh of my own little mess to create my own framework of testing, responses, reporting.