PaulDotCom mailing list archives
Network and Web App Pen Test Providers
From: raffi at flossyourmind.com (Raffi Jamgotchian)
Date: Thu, 6 Aug 2009 08:41:31 -0400
We would do something similar in the early days, but we would rotate between two vendors every year. We eventually dropped one of them because we saw they weren't adding any additional value. On Aug 6, 2009, at 12:50 AM, Vincent Lape wrote:
Its kinda odd to jump form one cheap place to another. i can totally understand the option for diverse testing however generally one would have 2 companies scan at the same time to see if there were any misses. Additionally jumping around yearly form one place to another will not prove if one place had missed something or not. your external environment will change from one year to the next. With the security field youll find it the same as any other, meaning you get what you pay for. For example if you take a $50 lawyer to court with you, or choose a super cut rate insurance company dont expect to get the same results you would if you went with a more experienced provider. One thing you may find with the "startup priced" places is the people doing the work may be a bit green. Knowledgeable, may have the certs to do so however not seasoned enough to really dig in. Or even worse you may end up getting the script kiddy special of some yahoo who downloaded the newest automated tools and is now a pen tester. In my past experience, when i look at a prospect that has been scanned before i ask to review the previous scans. To somewhat answer your question, i have used Protiviti in the past for my external net and app scans. For a 2X /24 with 350 hosts we were charged 10K per scan. They used several tools (core, nessus, et. al) as well as homegrown stuff they have put together. Another thing you might want to think about is contacting Paul directly to see if he is open for some consulting. On Aug 5, 2009, at 3:19 PM, Kennith Asher wrote:The company I work for contracts with third parties each year to perform web app and network penetration tests. In the interest of getting a different view of our vulnerabilities each time, we've decided to go with new vendors this year (and each year hereafter). Can any of you out there provide unvarnished truth about your experiences in similar endeavors. I'm looking to put together a short list of reputable firms who come recommended by people in the know. The list should hold up to enterprise scrutiny (must be reputable) and should be start-up priced. (Aren't all security purchases subject to such criteria?) Thanks for your input, Ken _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Network and Web App Pen Test Providers Kennith Asher (Aug 05)
- Network and Web App Pen Test Providers Vincent Lape (Aug 05)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Mike Patterson (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Jim Halfpenny (Aug 06)
- Network and Web App Pen Test Providers Chris Clymer (Aug 06)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers strandjs at gmail.com (Aug 06)
- Network and Web App Pen Test Providers Tim Krabec (Aug 06)
- Network and Web App Pen Test Providers Kennith Asher (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Vincent Lape (Aug 05)
- Network and Web App Pen Test Providers Michael Douglas (Aug 06)