PaulDotCom mailing list archives
Network and Web App Pen Test Providers
From: tkrabec at gmail.com (Tim Krabec)
Date: Thu, 6 Aug 2009 11:59:28 -0400
I'd say it's like everything else, know your software & your team, their strengths & weaknesses. Only when you know the requirements, strengths & weaknesses can you assess the needs. If you can meet all your needs with 1 piece of software, then why switch, if you cannot not, then why aren't you using something different? On Thu, Aug 6, 2009 at 10:26 AM, Paul Asadoorian <paul at pauldotcom.com>wrote:
While I am biased (yes we do pen tests and web app assessments), but I don't see the benefit of using different vendors every year. I believe its better to build a relationship with a reputable company that does a good job. If they do a good job, stick with them, as they understand your business and now have an established relationship. Think of the time spent from the customers end having to explain your environment, challenges, policies, business model, to a new firm every year. You can also get a fresh perspective from the same company because they may have added new employees (A good question to ask). Also, using the same firm allows you to build on past tests. Any one company can only get so far in one week, but using the same company for your testing allows them to pick up where they left off. Using a different company, they are going to start fresh, probably finding much of the same problems as the previous company (unless the company totally sucks, which is a different conversation). My recommendation is to apply a similar level of scrutiny to your pen test company as you do for potential employees. Don't be afraid to ask hard questions, samples of work, references, and even through a test or challenge at them. This will help you weed out "the suck" :) Cheers, Paul Raffi Jamgotchian wrote:We would do something similar in the early days, but we would rotate between two vendors every year. We eventually dropped one of them because we saw they weren't adding any additional value. On Aug 6, 2009, at 12:50 AM, Vincent Lape wrote:Its kinda odd to jump form one cheap place to another. i can totally understand the option for diverse testing however generally one would have 2 companies scan at the same time to see if there were any misses. Additionally jumping around yearly form one place to another will not prove if one place had missed something or not. your external environment will change from one year to the next. With the security field youll find it the same as any other, meaning you get what you pay for. For example if you take a $50 lawyer to court with you, or choose a super cut rate insurance company dont expect to get the same results you would if you went with a more experienced provider. One thing you may find with the "startup priced" places is the people doing the work may be a bit green. Knowledgeable, may have the certs to do so however not seasoned enough to really dig in. Or even worse you may end up getting the script kiddy special of some yahoo who downloaded the newest automated tools and is now a pen tester. In my past experience, when i look at a prospect that has been scanned before i ask to review the previous scans. To somewhat answer your question, i have used Protiviti in the past for my external net and app scans. For a 2X /24 with 350 hosts we were charged 10K per scan. They used several tools (core, nessus, et. al) as well as homegrown stuff they have put together. Another thing you might want to think about is contacting Paul directly to see if he is open for some consulting. On Aug 5, 2009, at 3:19 PM, Kennith Asher wrote:The company I work for contracts with third parties each year to perform web app and network penetration tests. In the interest of getting a different view of our vulnerabilities each time, we've decided to go with new vendors this year (and each year hereafter). Can any of you out there provide unvarnished truth about your experiences in similar endeavors. I'm looking to put together a short list of reputable firms who come recommended by people in the know. The list should hold up to enterprise scrutiny (must be reputable) and should be start-up priced. (Aren't all security purchases subject to such criteria?) Thanks for your input, Ken _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Tim Krabec Kracomp 772-597-2349 smbminute.com kracomp.blogspot.com www.kracomp.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090806/d8b6d0f7/attachment.htm
Current thread:
- Network and Web App Pen Test Providers Kennith Asher (Aug 05)
- Network and Web App Pen Test Providers Vincent Lape (Aug 05)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Mike Patterson (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Jim Halfpenny (Aug 06)
- Network and Web App Pen Test Providers Chris Clymer (Aug 06)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers strandjs at gmail.com (Aug 06)
- Network and Web App Pen Test Providers Tim Krabec (Aug 06)
- Network and Web App Pen Test Providers Kennith Asher (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Vincent Lape (Aug 05)
- Network and Web App Pen Test Providers Michael Douglas (Aug 06)