Re: Evaluating pentesters

[security curmudgeon <jericho () attrition org>]

On Mon, 8 Mar 2010, Tracy Reed wrote:

: On Fri, Mar 05, 2010 at 07:01:33PM -0500, Tony Turner spake thusly:
: > I've been burned in the past with some real bad ones..
: 
: Just out of curiosity, what makes for a bad pen-testing firm?

I'm not willing to go into a rant about what I think qualifies a firm as 
good or bad, but I will offer this piece of advice:

Ask for a sample pen-test / PCI report from the company in question. If 
you don't receive it in 1 business day, be afraid. If you do get it, read 
through it carefully and see what substance is there.

- Is it 90% written for C level execs?
- Do the vuln write-ups come directly from a Nessus plugin or OSVDB entry?
- Does the sample show ANY sign that it was customized for a client (and 
  sanitized of course)?
- Does wording from the intro / summary pop-up on Google a dozen times?
- Do the sample findings (plural) have sufficient technical detail *and* 
  solution information?

And perhaps most importantly..

- If you received the same report for your organization, would it help 
  you remediate the issues?

If any of the above points are an issue, ask yourself (and the firm) why.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------