Educause Security Discussion mailing list archives

Re: Pen Test vendors

From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Tue, 13 Jan 2009 16:36:45 -0500

With PCI requiring annual penetration tests of the cardholder environment, is that motivation enough for people to 
start their own pentest programs? Are .edu's who are subject to PCI outsourcing this or developing internally?
-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

On 1/12/2009 at 2:58 PM, in message <496BA0D1.60705 () siu edu>, Curt Wilson

<curtw () SIU EDU> wrote:

How many here perform in-house penetration testing? We do this here,
however I'm sure it's not as comprehensive as a larger company's
offering. I understand there is always a question of bias when internal
pentests are done. Despite that, I believe it's a wise practice. My
opinion is that you WILL get pentested - the only question is will it be
by someone that you WANT doing it, or will it be done first by an
attacker ready to pounce upon .edu-land?

For those that are able to bring in one of the larger players, what was
the scope of the engagement? I am also curious of your strategies to
help management understand the importance of this process.

Ideally security is baked into the whole development and project
lifecycle. However, it's just possible that security isn't always
baked-in into every step in every .edu environment, leaving systems in
production phases that have never received a solid review. However I'm
sure that all of us well-funded .edus never experience such a situation. :)

Individual replies are appropriate, and if I get enough responses I'll
make a summary for the list.

Thank you




Dick Jacobson wrote:

On Fri, 9 Jan 2009, Anand S Malwade wrote:

We have been happy with the process and the deliverable from Foundstone.


Hello All,

We want to conduct an independent Penetration Testing to evaluate the
effectiveness of our controls. Can anyone recommend a good Vendor that
you may have worked with in the past that really know their stuff and
exploit vulnerabilities discovered?  There are many rookies out there
who just print Nessus or Nmap scan output which we can do ourselves.

Thanks,
Anand

Anand Malwade
Information Security Officer,
Seton Hall University



-----------------------------------------------------------------------
Dick Jacobson            e-mail : Dick.Jacobson () ndus NoDak edu 
NDUS IT Security Officer    office : STTC 219
        phone  : 701-231-6280 <NEW phone number>
-----------------------------------------------------------------------

Current thread:

Re: Pen Test vendors, (continued)
- Re: Pen Test vendors Schumacher, Adam J (Jan 09)
- Re: Pen Test vendors randy marchany (Jan 09)
- Re: Pen Test vendors Jeff Howlett (Jan 09)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 09)
- Re: Pen Test vendors Jay Tumas BSEE, NSA IAM/IEM (Jan 09)
- Re: Pen Test vendors Mike Waller (Jan 09)
- Re: Pen Test vendors Dick Jacobson (Jan 10)
- Re: Pen Test vendors Brenda B Gombosky (Jan 11)
- Re: Pen Test vendors Curt Wilson (Jan 12)
- Re: Pen Test vendors Bob Henry (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Mark Houpt (Jan 13)
- Re: Pen Test vendors Mike Lococo (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Felecia Vlahos (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Morrow Long (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 14)

(Thread continues...)