Educause Security Discussion mailing list archives

Re: Pen Test vendors

From: Curt Wilson <curtw () SIU EDU>
Date: Mon, 12 Jan 2009 13:58:09 -0600

How many here perform in-house penetration testing? We do this here,
however I'm sure it's not as comprehensive as a larger company's
offering. I understand there is always a question of bias when internal
pentests are done. Despite that, I believe it's a wise practice. My
opinion is that you WILL get pentested - the only question is will it be
by someone that you WANT doing it, or will it be done first by an
attacker ready to pounce upon .edu-land?

For those that are able to bring in one of the larger players, what was
the scope of the engagement? I am also curious of your strategies to
help management understand the importance of this process.

Ideally security is baked into the whole development and project
lifecycle. However, it's just possible that security isn't always
baked-in into every step in every .edu environment, leaving systems in
production phases that have never received a solid review. However I'm
sure that all of us well-funded .edus never experience such a situation. :)

Individual replies are appropriate, and if I get enough responses I'll
make a summary for the list.

Thank you




Dick Jacobson wrote:

On Fri, 9 Jan 2009, Anand S Malwade wrote:

We have been happy with the process and the deliverable from Foundstone.


Hello All,

We want to conduct an independent Penetration Testing to evaluate the
effectiveness of our controls. Can anyone recommend a good Vendor that
you may have worked with in the past that really know their stuff and
exploit vulnerabilities discovered?  There are many rookies out there
who just print Nessus or Nmap scan output which we can do ourselves.

Thanks,
Anand

Anand Malwade
Information Security Officer,
Seton Hall University



-----------------------------------------------------------------------
Dick Jacobson            e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer    office : STTC 219
        phone  : 701-231-6280 <NEW phone number>
-----------------------------------------------------------------------



--
Curt Wilson
SIUC IT Security Officer & Security Engineer

Current thread:

Pen Test vendors Anand S Malwade (Jan 09)
- <Possible follow-ups>
- Re: Pen Test vendors Schumacher, Adam J (Jan 09)
- Re: Pen Test vendors randy marchany (Jan 09)
- Re: Pen Test vendors Jeff Howlett (Jan 09)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 09)
- Re: Pen Test vendors Jay Tumas BSEE, NSA IAM/IEM (Jan 09)
- Re: Pen Test vendors Mike Waller (Jan 09)
- Re: Pen Test vendors Dick Jacobson (Jan 10)
- Re: Pen Test vendors Brenda B Gombosky (Jan 11)
- Re: Pen Test vendors Curt Wilson (Jan 12)
- Re: Pen Test vendors Bob Henry (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Mark Houpt (Jan 13)
- Re: Pen Test vendors Mike Lococo (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Felecia Vlahos (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Morrow Long (Jan 13)

(Thread continues...)