Network and Web App Pen Test Providers

[raffi at flossyourmind.com (Raffi Jamgotchian)]

We would do something similar in the early days, but we would rotate  
between two vendors every year.  We eventually dropped one of them  
because we saw they weren't adding any additional value.


On Aug 6, 2009, at 12:50 AM, Vincent Lape wrote:

> Its kinda odd to jump form one cheap place to another. i can totally
> understand the option for diverse testing however generally one would
> have 2 companies scan at the same time to see if there were any
> misses. Additionally jumping around yearly form one place to another
> will not prove if one place had missed something or not. your external
> environment will change from one year to the next. With the security
> field youll find it the same as any other, meaning you get what you
> pay for. For example if you take a $50 lawyer to court with you, or
> choose a super cut rate insurance company dont expect to get the same
> results you would if you went with a more experienced provider. One
> thing you may find with the "startup priced" places is the people
> doing the work may be a bit green. Knowledgeable, may have the certs
> to do so however not seasoned enough to really dig in. Or even worse
> you may end up getting the script kiddy special of some yahoo who
> downloaded the newest automated tools and is now a pen tester. In my
> past experience, when i look at a prospect that has been scanned
> before i ask to review the previous scans.
>
> To somewhat answer your question, i have used Protiviti in the past
> for my external net and app scans. For a 2X /24 with 350 hosts we were
> charged 10K per scan. They used several tools (core, nessus, et. al)
> as well as homegrown stuff they have put together. Another thing you
> might want to think about is contacting Paul directly to see if he is
> open for some consulting.
> On Aug 5, 2009, at 3:19 PM, Kennith Asher wrote:
>
> > The company I work for contracts with third parties each year to
> > perform web app and network penetration tests.  In the interest of
> > getting a different view of our vulnerabilities each time, we've
> > decided to go with new vendors this year (and each year hereafter).
> >
> > Can any of you out there provide unvarnished truth about your
> > experiences in similar endeavors.  I'm looking to put together a
> > short list of reputable firms who come recommended by people in the
> > know.
> >
> > The list should hold up to enterprise scrutiny (must be reputable)
> > and should be start-up priced.  (Aren't all security purchases
> > subject to such criteria?)
> >
> > Thanks for your input,
> >
> > Ken
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com