Re: Penetration Test Assistance

[Jason 'XenoPhage' Frisvold <xenophage () godshell com>]

On Jun 5, 2012, at 12:52 PM, Peter Kristolaitis <alter3d () alter3d ca> wrote:
> In general, my experience with most "pen testers" is a severe disappointment, and isn't anything that couldn't be 
> done in-house by taking the person in your department who has the most ingrained hacker/geek personality, giving them 
> Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying "Find stuff we don't know about. Go.".   
> There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the guys who actually 
> write their own shellcode, etc), but the vast majority of "pen testers" just use automated tools and call it a day.  
> Like everything else in IT, security has been "commercialized" to the point where finding really good vendors/people 
> is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet soup certifications you can 
> imagine.

There are definitely a number of incredible pen-testers out there.  But I agree with Peter… If you end up with a 
"report" that's nothing more than an executive statement pasted at the top of a Nessus report, then you've wasted your 
money.  To be honest, I'd recommend getting a sample report from the company and quiz them on it before committing to a 
contract with them.

---------------------------
Jason 'XenoPhage' Frisvold
xenophage () godshell com
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law