Penetration Testing mailing list archives
Re: Choosing an Independent Penetration Testing Firm
From: Anders Thulin <anders.thulin () sentor se>
Date: Thu, 07 Feb 2013 10:23:52 +0100
On 2013-02-07 02:31, Remi Broemeling wrote:
Does anyone on here have any specific recommendations on what to look for when choosing an independent penetration testing firm?
It usually takes one to know one. But as always, asking for references for comparable jobs and evaluating them is often a good thing to do. Reporting is the most important part of the job: if you get a report you can't use or don't understand,or doesn't cover what you need it to cover, the job will be largely wasted. Ask for a sample, and discuss it with them. You need to think things through: what *do* you need the report for? Do you need one or more reports -- in some environments knowledge about vulnerabilities must be kept compartmentalized. You may need a different structure than the sample, and the tester should not have any problems with that. (If they do, they may be relying on pre-canned functionality, which may not be a good sign.) The company should be able to explain what they mean by a penetration test. Some just do vulnerability scans without actual penetration attempts, others include things like denial-of-service attacks, social engineering, physical intrusion etc. in the term. The company should ask for systems that require special considerations: systems that must not be upset by the tests. (Doing pen-test on a live environment during an important demo for a customer or investor, for example, is a no-no.) Some tests might be advisable to do at certain dates or certain times, when system admins can be watching. If they don't ask you, ask them. Also ask them about confidentiality agreements, damage insurance, certifications, methodology, tools, vulnerability classifications. Not all are relevant, and you may not care about the actual reply, but you do want to know how they reply. You may also ask them for recommended action: how do they like *you* to work with the result. Some companies stop at mitigating action, such as removing some services, and reconfiguring others, while others would prefer you to identify and correct any errors in procedures or routines that contributed to any vulnerability found. If one vulnerability is due to sloppy change management, just correcting the vulnerability doesn't really address the root cause of it. If you have any 'friend companies', benchmarking partners, etc. who have done pen tests, check with them for experiences and recommendations. -- Anders Thulin 070-757 36 10 / Intl. +46 70 757 36 10
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Choosing an Independent Penetration Testing Firm Remi Broemeling (Feb 06)
- Re: Choosing an Independent Penetration Testing Firm Justin Rogosky (Feb 06)
- Re: Choosing an Independent Penetration Testing Firm Sergey Soldatov (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Anders Thulin (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Owen Connolly (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Eric Schultz (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Justin Rogosky (Feb 06)