Re: Cross-company collaboration

["Adriel T. Desautels" <ad_lists () netragard com>]

Happy that my thread got some people thinking!  What is interesting is  
that my partner and I (here at Netragard) have often thought about the  
same thing.  We've considered the idea of collaborating with other  
penetration testing companies on various levels from taking on  
overflow work to playing out team based scenario's for specific  
customers.  Having said that we haven't found any other pen-testing  
companies that a) we'd be comfortable working with or b) would be  
comfortable workign with us (one or the other usually).

Jonathan, another such tool exists (unless I've misunderstood yours)  
that is called the dradis framework.  There's a link to it on the  
right hand side of our blog under affiliates and friends.  Dradis is  
an information sharing framework for penetration testers.  It enables  
us to create projects, store information, and even generate reports  
for the report writing team all from one centralized location.   Think  
of it as a collaboration tool specifically for pen-testers with  
awesome import functionality etc.  Never the less, how does that  
address the issue of two companies that offer penetration testing  
services working with each other?  It doesn't.  It only addresses the  
issue of team collaboration right? Or have I misunderstood...

I've made additional comments below, mostly because I am very  
interested to hear what you have to say...


On Jul 28, 2009, at 4:50 PM, Jonathan Cran wrote:

> All,
>
>
> > On Fri, Jul 17, 2009 at 04:47:41PM -0700, Erin Carroll wrote:
> > > The recent thread from Adriel on verifying your security providers
> > > jogged a thought that's been at the back of my mind for a bit: Have
> > > you ever worked or collaborated with another pen-test company on
> > > projects? How did it work out? What prompted the collaboration  
> > > effort?
> > > How did you manage the relationship with "the competition" and was  
> > > it
> > > a successful engagement (financial or otherwise)? How did you find/ 
> > > choose who
> > > to work with?
>
> It's interesting and timely that this issue is raised on the pen- 
> test list. I'll be giving a talk at B-Sides Las Vegas on  
> collaborative pentesting and specifically on some tools we've  
> (rapid7) modified / developed to enable it. The talk is based around  
> something we call pentest-console or ptc, which is really just an  
> alias for the following:
>
> Server:
> - Trac/Svn as the basis (which is really a development project  
> tracking software)
> - Custom "template" projects to speed typical projects (such as a 5- 
> day, or 10-day pentest)
> - Custom shell scripts to augment project creation
> - Various parsers to pull data into trac (tickets / wiki)
> - Toolkit in svn
>
> Client:
> - Eclipse as a front-end
> - Mylyn for Trac-Ticket Integration (and possibly time-tracking)
>
> These tools were developed to help us better maintain methodology,  
> and re-use existing work. However, it turns out that they're quite  
> useful for collaboration / communication during a pentest,  
> scalability to large teams, automatic report-gen and various other  
> nice-to-haves.
>
> You can find more info on the talk here: http://www.securitybsides.com
>
> ---
>
> To answer your other, more business-oriented questions, however:
>
> Q: Have you ever worked or collaborated with another pen-test  
> company on projects?
> A: Yep

Can you give me some insight without disclosing anything confidential  
about the project that you worked on?  How did you perform the work  
without a conflict if you were both offering the same service?  If you  
weren't offering the same service then why were you chosen for one and  
the other company for the other?

> Q: How did it work out? What prompted the collaboration effort?
> A: Depends on the relationship, depends on the work, depends on lots  
> of things. Depending on how the relationship is managed, you could  
> end up holding hands, or stabbing each other at the end of it. My  
> experiences have been prompted by various business need, whether  
> it's the need for a specific type of expertise, or just too much  
> work to handle in-house.

But what specifically was the cause of you having to work with the  
competition?  Just one example.  Overflow work makes sense, but thats  
not really working in tandem is it? Maybe it was?


> Q: How did you manage the relationship with "the competition" and  
> was it a successful engagement (financial or otherwise)?
> A: "competition" is definitely debatable. Generally, you don't want  
> to sub out your core business functionality, so if you're giving  
> your best work away to the competition, you're probably doing  
> something wrong. The exception to that is when you have too much  
> work (especially if you do not have a growing backlog), and you need  
> to fill in gaps w/ other vendors.

I take issue with that.  I'm going to be bold and possibly insulting  
here but the fact is that of 100% of the companies that offer  
penetration testing services, the vast majority of them don't offer  
quality services.  Most of them offer services that are the product of  
automated scanners.  In the end, the final deliverable is the  
scanner's result vetted by a team member who probably isn't a hacker  
at heart but instead a security engineer.  The result, a report that  
identifies no more vulnerabilities that the number of "issues" raised  
by the automated scanner.  In my opinion (I don't mean to offend  
anyone here) such a service isn't providing customers with a test that  
is sufficient to protect them from the real world threat.  Such a  
service is basic, covers known vulnerabilities, and enables people to  
comply with certain regulatory requirements. If you think that being  
PCI compliant or <insert name here> compliant means that you won't get  
your ass handed to you by a talented hacker, then think again.  PCI  
compliant businesses get hacked on a regular basis, take a look a the  
recent Network Solutions compromise as an example.   They were/are PCI  
compliant but was that sufficient to protect their customers data from  
the hacker? Certainly not.  Was that hacker a highly skilled, high  
threat hacker?  Who knows, but I'd suggest that he/she was probably  
mid-range with respect to skill.  I say that because if he/she was  
highly skilled then the hack would have gone without notice.

So, if you have too much work then how do you outsource that work to  
another vendor and maintain your standard of quality?  (Thats the  
point that I was trying to make)

> Q: How did you find/choose who to work with?
> A: Most consulting / services firms are happy to discuss this kind  
> of arrangement. I would suggest talking to your contacts and finding  
> someone you trust, first and foremost.  It's quite common to  
> contract penetration testing work, some companies do this more than  
> others. Many independent penetration testers in the US work as  
> contractors because it's more lucrative.

Don't forget about quality and capability.  Trust is great but if the  
talent pool isn't well seasoned and versed then you're product is  
going to be awful.   That said... in some respects trust is more  
important. Can't argue that point.

> > Well, one time when a customer wanted an application which required  
> > a very
> > high level of securing they actually went as far as to order two  
> > companies (us
> > and The Others™) to take care of it. Initially, we were both not  
> > too thrilled.
>
> I've had this experience before as well. Generally it's best (and  
> the client / customer would like you to focus in different areas).
>
> > As it turned out though, we were the crypto freaks and had a strong  
> > grasp on
> > technical security while the other company was focussing mainly on
> > organizational security, so we let them take care of that part of  
> > the job and
> > hacked away peacefully.
>
> Hopefully you both learned some things from each other :)

I'm curious, what is your methodology for performing application  
testing?   Was this a web application or another type of application?   
Can you share that information?

> cheers,
>
> jcran
>
>
>
>
> > (But usually companies just want one "security provider".)



> > Kind regards,
> >
> >                                 Tonnerre
> > --
> > SyGroup GmbH
> > Tonnerre Lombard
> >
> > Solutions Systematiques
> > Tel:+41 61 333 80 33            Güterstrasse 86
> > Fax:+41 61 383 14 67            4053 Basel
> > Web:www.sygroup.ch              tonnerre.lombard () sygroup ch



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------