It's in my best opinion to make sure you question the auditer on some basic security and networking knowledge before you choose them to perform your security audits. A professional Security auditer should present you with a few legal documents. Some of which may be;
1. NDA (Non Disclosure Agreement). This will form a legal bond of privacy between you and the auditer. This makes sure that the auditer will not "Leak" any information about his/her findings on your network to anyone else but you.
2. Legal Security Assessment: This will entail the tests to be performed in detail, and a legal document between you and the auidter, mostly for the auditer claiming no responsibility for any downtime or damage that may occur while the tests are being performed. Mostly during a hostile "Hacker" emulation.
You may also want to make sure the auditer gives you a detailed report of the results of the tests performed. Also a detailed explanation of the findings in terms you are able to understand. Also, you may want to ask this person if they perform the fixes for any security breaches they may find. Some may charge extra, or some may aide in the repairs by an administrator.
Originally Posted by BurakUeda
I have used Comodo's HackerGuardian for a year. They use Nessus as most of the other audit companies, which is a free scanning tool.
Nessus tends to throw some false positives about server security, such as OpenSLL version, mod_frontpage version etc.
There is also SecuritySpace which I heard good things about, but I have never used them.
It's my firm belief as a Certified Security engineer holding various certifications in this field that the tools are only as good as the pen tester. Even though Nessus and some other tools may toss up false positives, It's the auditers job and duty to verify the findings by other means, perhaps manual research and discovery methods.