Re: 3rd party vuln assesment firms

[Ivan Arce <ivan.arce () coresecurity com>]

Another important thing from the penetration tester's viewpoint is to be
precise and an dimpose self-discipline with he engagement's schedule. A
common problem is that the start of the engagement gets delayed or that
the timeframe for the pentest gets reduced or otherwise modified. That
will have an impact on the quality of the results. Also, when a few
schedules are moved around it becomes a nightmare for the pentest
provider to properly allocate and manage its resources across several
jobs at different stages.

I would summarize (from a provider's perspective) the msot important
things as follows:
- A well-defined defined scope
- A well-prepared action plan including all the relevant points of
contact with the customer and an agreed-upon way to communicate with
them. They should be aware that the assessment will take place during
weeks X-Y and they'll need to get involved.
- A precise timeframe and work schedule.
- A follow-up plan to act on the results.

-ivan


Erin Carroll wrote:
> On 23 Dec 2005 rklemaster () hotmail com wrote:
>
>
> > I'm looking for a firm to conduct annual 3rd party vulnerability assesments for a nationwide carrier ISP. If anyone 
> > has any references or stories to share, I'd like to hear about them.
> > thanks!
>
>
>
> I'll let others speak to what firms or referrals etc. but wanted to inject
> some thoughts on what it's like on the other side of the fence which may 
> be of use when you are making your choice.
>
> By far the most irritating and common issue that crops up as a pen-tester
> when doing 3rd party internal/external pen-test and VA's is the lack of a
> clearly defined scope from the client. In some cases 60%+ of my billable
> time boils down to trying to figure out just what the client wants tested,
> what the priorities are, which systems I have to be delicate around (some
> tools can cause outages/DoS etc), how many systems, who are the technical
> contacts within the client company if questions or issues arise, and who
> is the "suit"  running the project who can assist with overcoming
> roadblocks on the management end of things. Don't get me wrong, the extra
> hours billed are nice for my wallet but as the client you are burning a
> lot of cash for no reason.
>
> Having all those details nailed down *in advance* goes a long way to 
> saving you headaches and cash. Additionally, get your legal dept to draft 
> up an agreement outlining the scope. This is to protect both you and the 
> VA firm.
>
> Another thing to consider when shopping around on this is to figure out
> *in advance* what information you want at the end of the annual
> engagement. A management summary of the low hanging fruit? A technical
> analysis to take to your engineers? A doc to cover you in regards to 
> regulatory requirements? If you need the information in a 
> particular format be sure to communicate that. 
>
> The last thing I'll throw in here is to have some sort of action plan to
> address the issues that are found. Many times I've come back to reassess a
> client's infrastructure only to find the same holes/issues in place with
> little or no change. You are hiring me for my expertise. Use it. Oh, I'll
> happily cash the check again but most security geeks I know like to see
> their imparted knowledge and findings put to use.
>
>
> -Erin Carroll
> Moderator
> SecurityFocus pen-test mailing list
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking applications on your 
> website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
> futile against web application hacking. Check your website for vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------

-- 
---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------