Network and Web App Pen Test Providers

[tkrabec at gmail.com (Tim Krabec)]

I'd say it's like everything else, know your software & your team, their
strengths & weaknesses.
Only when you know the requirements, strengths & weaknesses can you assess
the needs.

If you can meet all your needs with 1 piece of software, then why switch, if
you cannot not, then why aren't you using something different?

On Thu, Aug 6, 2009 at 10:26 AM, Paul Asadoorian <paul at pauldotcom.com>wrote:

> While I am biased (yes we do pen tests and web app assessments), but I
> don't see the benefit of using different vendors every year.
>
> I believe its better to build a relationship with a reputable company
> that does a good job.  If they do a good job, stick with them, as they
> understand your business and now have an established relationship.
> Think of the time spent from the customers end having to explain your
> environment, challenges, policies, business model, to a new firm every
> year.  You can also get a fresh perspective from the same company
> because they may have added new employees (A good question to ask).
>
> Also, using the same firm allows you to build on past tests.  Any one
> company can only get so far in one week, but using the same company for
> your testing allows them to pick up where they left off.  Using a
> different company, they are going to start fresh, probably finding much
> of the same problems as the previous company (unless the company totally
> sucks, which is a different conversation).
>
> My recommendation is to apply a similar level of scrutiny to your pen
> test company as you do for potential employees.  Don't be afraid to ask
> hard questions, samples of work, references, and even through a test or
> challenge at them.  This will help you weed out "the suck" :)
>
> Cheers,
> Paul
>
> Raffi Jamgotchian wrote:
> > We would do something similar in the early days, but we would rotate
> > between two vendors every year.  We eventually dropped one of them
> > because we saw they weren't adding any additional value.
> >
> >
> > On Aug 6, 2009, at 12:50 AM, Vincent Lape wrote:
> >
> > > Its kinda odd to jump form one cheap place to another. i can totally
> > > understand the option for diverse testing however generally one would
> > > have 2 companies scan at the same time to see if there were any
> > > misses. Additionally jumping around yearly form one place to another
> > > will not prove if one place had missed something or not. your external
> > > environment will change from one year to the next. With the security
> > > field youll find it the same as any other, meaning you get what you
> > > pay for. For example if you take a $50 lawyer to court with you, or
> > > choose a super cut rate insurance company dont expect to get the same
> > > results you would if you went with a more experienced provider. One
> > > thing you may find with the "startup priced" places is the people
> > > doing the work may be a bit green. Knowledgeable, may have the certs
> > > to do so however not seasoned enough to really dig in. Or even worse
> > > you may end up getting the script kiddy special of some yahoo who
> > > downloaded the newest automated tools and is now a pen tester. In my
> > > past experience, when i look at a prospect that has been scanned
> > > before i ask to review the previous scans.
> > >
> > > To somewhat answer your question, i have used Protiviti in the past
> > > for my external net and app scans. For a 2X /24 with 350 hosts we were
> > > charged 10K per scan. They used several tools (core, nessus, et. al)
> > > as well as homegrown stuff they have put together. Another thing you
> > > might want to think about is contacting Paul directly to see if he is
> > > open for some consulting.
> > > On Aug 5, 2009, at 3:19 PM, Kennith Asher wrote:
> > >
> > > > The company I work for contracts with third parties each year to
> > > > perform web app and network penetration tests.  In the interest of
> > > > getting a different view of our vulnerabilities each time, we've
> > > > decided to go with new vendors this year (and each year hereafter).
> > > >
> > > > Can any of you out there provide unvarnished truth about your
> > > > experiences in similar endeavors.  I'm looking to put together a
> > > > short list of reputable firms who come recommended by people in the
> > > > know.
> > > >
> > > > The list should hold up to enterprise scrutiny (must be reputable)
> > > > and should be start-up priced.  (Aren't all security purchases
> > > > subject to such criteria?)
> > > >
> > > > Thanks for your input,
> > > >
> > > > Ken
> > > >
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> --
> Paul Asadoorian
> PaulDotCom Enterprises
> Web: http://pauldotcom.com
> Phone: 401.829.9552
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
Tim Krabec
Kracomp
772-597-2349
smbminute.com
kracomp.blogspot.com
www.kracomp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090806/d8b6d0f7/attachment.htm