Full Disclosure mailing list archives
[Professional IT Security Providers - Exposed] Pivot Point Security ( A )
From: secreview <secreview () hushmail com>
Date: Sat, 5 Apr 2008 17:49:48 -0700 (PDT)
Pivot Point Security, whose website can be found at http://www.pvtpt.com, is a provider of Information Security Auditing, Security Event Management, and Penetration Testing services. We found them by doing yet another search for “Penetration Testing” on Google. Unlike some other providers who are afraid to have us look under their hood, Pivot Point let us right in.The first thing that we are going to say is that we would recommend Pivot Point over most of the other companies that we’ve reviewed to date. They are honest about their capabilities, they do not hide behind a colorful storm of pretty marketing fluff, and they will not lead you down the wrong path. They also properly differentiate their services and use the appropriate terminology in their reports, during telephone conversations, and on their website. While they do not have most technically advanced kung-fu, and are not comprised of a team of super hackers, they are able to deliver services that will help to increase their customers overall security posture.During the telephone interview that we had with Pivot Point they told us that they do not have a Vulnerability Research and Development team. We feel very strongly that providers should perform Vulnerability Research and Development if they are going to be offering services like Penetration Testing and Vulnerability Assessments. This type of research can be used to enhance the quality of the services being delivered.We can’t however say that Pivot Point performs no research. According to what we were told during our telephone call, Pivot Point performs very interesting and useful research that is focused on security events (firewalls, IDS, VPN, system logs, proxy logs). Their research is intended to improve the ability to detect “significant or anomalous” security events out of the large number of events that most enterprises generate While we know that most hackers worth their salt can bypass IDS and avoid detection, we appreciate anyone that is making an effort to further enhance it.Ok, so we’ve been nice so far and we do like Pivot Point, but we’re going to be taking a jab at them soon. During our telephone call Pivot Point made it very clear to us that their primary line of business was not Penetration Testing or Vulnerability Assessments, but that it was auditing. Pivot Point views Penetration Testing as a substantiative form of controls auditing. . Pivot Point acknowledged that they are not “super hackers” and that there are a limited number of instances where they will refer a customer to a provider that can provide those types of services. They will not lie like some providers and offer an advanced service while delivering a standard service just for the buck.With that in mind, we did review a sanitized penetration testing report that was given to us by Pivot Point. Don’t ask us for a copy of the report because we were asked to keep it confidential and that is what we plan on doing.Based on a detailed analysis of the report, it appears that Pivot Point’s methodology for performing Penetration Testing is as follows. First, Pivot Point will run the Nessus automated vulnerability scanner against the network or computer being tested. They will then digest the results from the automated scan and produce a list of vetted vulnerabilities. Pivot Point makes use of a range of other reconnaissance/attack tools (e.g., Nikto, Paros, App Detective, Wire Shark, Cain & Abel, AirCrack) dependent on the project scope and customer objectives. Once they have those results, they use open source tools (e.g, Metasploit, pwdump, netcat, hydra) and/or custom scripting to target the vulnerabilities and attempt to penetrate the devices. The reports do contain screen shots, and some level of technical description per discovery. But like Pivot Point told us initially, the report certainly did not demonstrate an advanced capability with respect to penetration testing.In addition to the reports we were given a series of case studies. We don’t particularly care about most case studies as we consider most of them to be marketing fluff. That is after all what they are used for, isn’t it?So in closing, we would recommend Pivot Point to anyone that doesn’t require the level of assurance that can be provided by a vendor with super depth and advanced services. Pivot Point will help you to identify “known security issues”, and they will help you to make sure that you are locked down with respect to those known issues. It is important to note that they will not protect you from the unknown or 0-day type issues, as their services are standard level (but high quality and honesty). When it comes to performing research and locating 0-day type issues, they say that they will redirect you to a quality vendor that can deliver that level of service.As usual we're open to suggestions about this review. If anything we've written is an untruth or does not accurately reflect Pivot Point Security let us know (the good and the bad).Score Card (Click to Enlarge) -- Posted By secreview to Professional IT Security Providers - Exposed at 4/05/2008 03:07:00 PM
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Professional IT Security Providers - Exposed] Pivot Point Security ( A ) secreview (Apr 05)