Penetration Testing mailing list archives
Re: 3rd party vuln assesment firms
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Fri, 23 Dec 2005 17:14:51 -0300
Another important thing from the penetration tester's viewpoint is to be precise and an dimpose self-discipline with he engagement's schedule. A common problem is that the start of the engagement gets delayed or that the timeframe for the pentest gets reduced or otherwise modified. That will have an impact on the quality of the results. Also, when a few schedules are moved around it becomes a nightmare for the pentest provider to properly allocate and manage its resources across several jobs at different stages. I would summarize (from a provider's perspective) the msot important things as follows: - A well-defined defined scope - A well-prepared action plan including all the relevant points of contact with the customer and an agreed-upon way to communicate with them. They should be aware that the assessment will take place during weeks X-Y and they'll need to get involved. - A precise timeframe and work schedule. - A follow-up plan to act on the results. -ivan Erin Carroll wrote:
On 23 Dec 2005 rklemaster () hotmail com wrote:I'm looking for a firm to conduct annual 3rd party vulnerability assesments for a nationwide carrier ISP. If anyone has any references or stories to share, I'd like to hear about them. thanks!I'll let others speak to what firms or referrals etc. but wanted to inject some thoughts on what it's like on the other side of the fence which may be of use when you are making your choice. By far the most irritating and common issue that crops up as a pen-tester when doing 3rd party internal/external pen-test and VA's is the lack of a clearly defined scope from the client. In some cases 60%+ of my billable time boils down to trying to figure out just what the client wants tested, what the priorities are, which systems I have to be delicate around (some tools can cause outages/DoS etc), how many systems, who are the technical contacts within the client company if questions or issues arise, and who is the "suit" running the project who can assist with overcoming roadblocks on the management end of things. Don't get me wrong, the extra hours billed are nice for my wallet but as the client you are burning a lot of cash for no reason. Having all those details nailed down *in advance* goes a long way to saving you headaches and cash. Additionally, get your legal dept to draft up an agreement outlining the scope. This is to protect both you and the VA firm. Another thing to consider when shopping around on this is to figure out *in advance* what information you want at the end of the annual engagement. A management summary of the low hanging fruit? A technical analysis to take to your engineers? A doc to cover you in regards to regulatory requirements? If you need the information in a particular format be sure to communicate that. The last thing I'll throw in here is to have some sort of action plan to address the issues that are found. Many times I've come back to reassess a client's infrastructure only to find the same holes/issues in place with little or no change. You are hiring me for my expertise. Use it. Oh, I'll happily cash the check again but most security geeks I know like to see their imparted knowledge and findings put to use. -Erin Carroll Moderator SecurityFocus pen-test mailing list ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
-- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce () coresecurity com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- 3rd party vuln assesment firms rklemaster (Dec 23)
- Re: 3rd party vuln assesment firms Erin Carroll (Dec 23)
- Re: 3rd party vuln assesment firms Ivan Arce (Dec 23)
- Re: 3rd party vuln assesment firms neal wise (Dec 24)
- Re: 3rd party vuln assesment firms raven (Dec 27)
- Re: 3rd party vuln assesment firms Roland Dobbins (Dec 27)
- RE: 3rd party vuln assesment firms Chris Serafin (Dec 28)
- Re: 3rd party vuln assesment firms Ivan Arce (Dec 23)
- Re: 3rd party vuln assesment firms Erin Carroll (Dec 23)
- Re: 3rd party vuln assesment firms Byron Sonne (Dec 23)
- <Possible follow-ups>
- RE: 3rd party vuln assesment firms Wray, Donald W (Dec 26)
- Re: 3rd party vuln assesment firms Michael Weber (Dec 27)
- Re: 3rd party vuln assesment firms InfoSecBOFH (Dec 27)
- RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)
- RE: 3rd party vuln assesment firms Nathan (Dec 28)
- Re: 3rd party vuln assesment firms InfoSecBOFH (Dec 27)