Penetration Testing mailing list archives
Fwd: Evaluating pentesters
From: Daniel Hood <dsmhood () gmail com>
Date: Wed, 10 Mar 2010 20:53:28 +1100
I'm usually on the otherside of the fence with this sort of stuff (Being a pen-tester). But I guess the easiest way to weed out those "cash-hungry" bogans who just use tools like Nessus and such and then hand you the scan results and those people who have a little bit of experience with metasploit and think they are the best, is to check into their companies and make sure they have some kind of RnD department. Not a product RnD department, but one thats doing actual original research into vulnerabilities and has a couple of original whitepapers on their website about various forms of pen-testing. Companies that do research and publish exploits, that they have researched and written usually are the ones that are worth their coin. And if you have a quick flick through their whitepapers, you can usually get a good feel of how they work and some of the methodologies they use. Instead of trying to work out whether they are BS'ing or giving you gold in a first interview when you ask them about methodologies and skill levels... Just my two cents, Daniel On Sat, Mar 6, 2010 at 11:01 AM, Tony Turner <tony_l_turner () yahoo com> wrote:
Is there some kind of "Who's Who" of penetration testing firms? Right now my primary methods for evaluating potential firms for pentest engagements are requesting sanitized reports from past tests and asking questions about their methodology. Is there some resource online I might be able to use to locate quality testers? I've been burned in the past with some real bad ones.. I'm looking for network/systems/application/web/wireless from a PCI focused firm. Not so much interested in physical security and social engineering tests at this time but these services may be useful for future engagements. Also not interested in paying good money for someone else to just do a Kismet/Gpsmap or Nessus scan for me and hand me the scan data. Useful tools of course, but I've met a few idiots who thought that was what penetration testing was. I am in the SE United States. -- Tony L Turner CISSP, CISA, GPEN, GCIA, GSEC, VCP, ITIL-F ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Evaluating pentesters, (continued)
- Re: Evaluating pentesters Andre Gironda (Mar 08)
- Re: Evaluating pentesters aceinyaface (Mar 09)
- Re: Evaluating pentesters Jason Ross (Mar 09)
- Re: Evaluating pentesters Brent Huston (Mar 11)
- Re: Evaluating pentesters Shohn Trojacek (Mar 09)
- Re: Evaluating pentesters Rudra Kamal Sinha Roy (Mar 11)
- RE: Evaluating pentesters Frye, Dan (Mar 11)
- RE: Evaluating pentesters security curmudgeon (Mar 15)
- Re: Evaluating pentesters Pete Herzog (Mar 17)
- RE: Evaluating pentesters Cor Rosielle (Mar 23)
- Re: Evaluating pentesters Rudra Kamal Sinha Roy (Mar 11)
- Message not available
- Fwd: Evaluating pentesters Daniel Hood (Mar 11)
- Re: Evaluating pentesters Mohamed Farid (Mar 11)
- Re: Evaluating pentesters ben . dexter (Mar 11)
- Re: Evaluating pentesters Daniel Clemens (Mar 11)