Re: third party pentesting services and pentesting RFP

[Brian J Smith-Sweeney <bsmithsweeney () NYU EDU>]

I'll give a strong recommendation for SensePost  - they're a
relatively small shop of highly skilled pen testers out of South
Africa.  They do a fair bit of research and publish and present at
major conferences regularly.  Most of our internal folks have taken
classes from them and we've used them on one project with better
results than any other vendor we've engaged.  I'm happy to discuss
this more offline if you like.

My opinion - admittedly based on a bit of personal experience and
hallway conversations at security cons - is that you go with a smaller
skilled shop if you want more in-depth technical results, and you go
with a larger shop if you want a name folks will recognize for CYA
purposes.   If you're interested I can provide a longer list of places
we considered before our recent outsource engagement.

Cheers,
Brian

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney            Project Lead
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





On Thu, Apr 7, 2011 at 7:45 PM, Youngquist, Jason R.
<jryoungquist () ccis edu> wrote:
> We are looking at having some pentesting done by a third party.  This would
> include network pentesting, web application assessment, and social
> engineering.  I was wondering if anyone had any recommendations for vendors
> that provide such services.
>
>
>
> Also, does anyone have any pentesting RFP they would be willing to share?
>
>
>
> Feel free to email me off list.
>
>
>
> Thanks.
>
> Jason Youngquist
>
> Information Technology Security Engineer
>
> Technology Services
>
> Columbia College
>
> 1001 Rogers Street, Columbia, MO  65216
>
> (573) 875-7334
>
> jryoungquist () ccis edu
>
> http://www.ccis.edu