Network and Web App Pen Test Providers

[herrasher at gmail.com (Kennith Asher)]

First let me say that I totally agree, especially in the case of pen tests,
that you get what you pay for.  (Assuming you know how to evaluate what
you're buying.)

Script kiddies and those who simply pass along an unsubstantiated,
unverified Qualys report (for instance) don't provide much value regardless
of cost.

I am not actually convinced that rotating pen test firms really does much to
improve the likelihood of discovering vulnerabilities.  I do, however, have
a business need to use different vendors.  Some of our enterprise customers
and prospects require this and audit us against their requirement.

I have to balance getting a high quality result with the need to be able to
tell auditors that we are meeting their requirements.

I may be able to justify spending our pen test dollars on the same firm
provided that I have shown due diligence by evaluating a small handful of
alternatives and demonstrating that the choice was made in appreciation of
the intent of this requirement.

I'm looking for high quality first, low price second.

One other noteworthy item for you to ponder is that current customers
perform pen tests of their own on roughly a quarterly basis and we do have
internal quarterly scans as well so we already have a reasonable level of
confidence as to where our vulnerabilities lie.

Thanks for your comment,

Ken

On Aug 6, 2009 7:26 AM, "Paul Asadoorian" <paul at pauldotcom.com> wrote:

While I am biased (yes we do pen tests and web app assessments), but I
don't see the benefit of using different vendors every year.

I believe its better to build a relationship with a reputable company
that does a good job.  If they do a good job, stick with them, as they
understand your business and now have an established relationship.
Think of the time spent from the customers end having to explain your
environment, challenges, policies, business model, to a new firm every
year.  You can also get a fresh perspective from the same company
because they may have added new employees (A good question to ask).

Also, using the same firm allows you to build on past tests.  Any one
company can only get so far in one week, but using the same company for
your testing allows them to pick up where they left off.  Using a
different company, they are going to start fresh, probably finding much
of the same problems as the previous company (unless the company totally
sucks, which is a different conversation).

My recommendation is to apply a similar level of scrutiny to your pen
test company as you do for potential employees.  Don't be afraid to ask
hard questions, samples of work, references, and even through a test or
challenge at them.  This will help you weed out "the suck" :)

Cheers,
Paul

Raffi Jamgotchian wrote: > We would do something similar in the early days,
but we would rotate >...
--
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552

_______________________________________________ Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.c...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090806/189093c9/attachment.htm