Penetration Testing mailing list archives
Re: Evaluating pentesters
From: security curmudgeon <jericho () attrition org>
Date: Tue, 9 Mar 2010 06:44:17 +0000 (UTC)
On Mon, 8 Mar 2010, Tracy Reed wrote: : On Fri, Mar 05, 2010 at 07:01:33PM -0500, Tony Turner spake thusly: : > I've been burned in the past with some real bad ones.. : : Just out of curiosity, what makes for a bad pen-testing firm? I'm not willing to go into a rant about what I think qualifies a firm as good or bad, but I will offer this piece of advice: Ask for a sample pen-test / PCI report from the company in question. If you don't receive it in 1 business day, be afraid. If you do get it, read through it carefully and see what substance is there. - Is it 90% written for C level execs? - Do the vuln write-ups come directly from a Nessus plugin or OSVDB entry? - Does the sample show ANY sign that it was customized for a client (and sanitized of course)? - Does wording from the intro / summary pop-up on Google a dozen times? - Do the sample findings (plural) have sufficient technical detail *and* solution information? And perhaps most importantly.. - If you received the same report for your organization, would it help you remediate the issues? If any of the above points are an issue, ask yourself (and the firm) why. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Evaluating pentesters Tony Turner (Mar 08)
- Re: Evaluating pentesters Tracy Reed (Mar 08)
- Re: Evaluating pentesters security curmudgeon (Mar 11)
- Re: Evaluating pentesters David Glosser (Mar 08)
- Re: Evaluating pentesters Andre Gironda (Mar 08)
- Re: Evaluating pentesters aceinyaface (Mar 09)
- Re: Evaluating pentesters Jason Ross (Mar 09)
- Re: Evaluating pentesters Brent Huston (Mar 11)
- Re: Evaluating pentesters Shohn Trojacek (Mar 09)
- Re: Evaluating pentesters Rudra Kamal Sinha Roy (Mar 11)
- RE: Evaluating pentesters Frye, Dan (Mar 11)
- RE: Evaluating pentesters security curmudgeon (Mar 15)
- Re: Evaluating pentesters Pete Herzog (Mar 17)
- Re: Evaluating pentesters Rudra Kamal Sinha Roy (Mar 11)
- Re: Evaluating pentesters Tracy Reed (Mar 08)