PaulDotCom mailing list archives
Network and Web App Pen Test Providers
From: mick at pauldotcom.com (Michael Douglas)
Date: Thu, 6 Aug 2009 13:45:39 -0400
I too have to back up the sentiment on having a single provider for assessments. It's somewhat rare to have two completely different companies perform a financial audit, why have two different pen testers? And while it drives Paul *nuts* every time I make the comparison, auditors and pen testers really aren't that far apart when you think about it... They both ask the question "Are you sure? Let's find out!" --- The big thing that you have to take away from this is that you need a good RFP style process where you ask a gauntlet of questions to everyone you'd consider poking around with your network. In addition to experience, tools used, and references, some other items to cover are: - reporting - follow-up. (Will/Should the pentester offer to fix vulnerabilities?) - findings (it's possible that a pentester could uncover a 0-day... how will this get reported or handled?) - timeframe for work. (some companies want 1 week pentests -- IMO this is far too short) - methods allowed (some companies will only allow remote, while others have no problems with internal based tests -- let your external penest team know in great detail what you need/want) - Cost (I've had some decent success saying upfront "I have $5k what can I get?" it's better for both parties to do that than sign up and at the last second reduce the $ by 75% -- still seething over that one) What an interesting topic! Maybe we should do this on the show sometime... Best of luck, - Mick On Thu, Aug 6, 2009 at 10:26 AM, Paul Asadoorian<paul at pauldotcom.com> wrote:
While I am biased (yes we do pen tests and web app assessments), but I don't see the benefit of using different vendors every year. I believe its better to build a relationship with a reputable company that does a good job. ?If they do a good job, stick with them, as they understand your business and now have an established relationship. Think of the time spent from the customers end having to explain your environment, challenges, policies, business model, to a new firm every year. ?You can also get a fresh perspective from the same company because they may have added new employees (A good question to ask). Also, using the same firm allows you to build on past tests. ?Any one company can only get so far in one week, but using the same company for your testing allows them to pick up where they left off. ?Using a different company, they are going to start fresh, probably finding much of the same problems as the previous company (unless the company totally sucks, which is a different conversation). My recommendation is to apply a similar level of scrutiny to your pen test company as you do for potential employees. ?Don't be afraid to ask hard questions, samples of work, references, and even through a test or challenge at them. ?This will help you weed out "the suck" :) Cheers, Paul Raffi Jamgotchian wrote:We would do something similar in the early days, but we would rotate between two vendors every year. ?We eventually dropped one of them because we saw they weren't adding any additional value. On Aug 6, 2009, at 12:50 AM, Vincent Lape wrote:Its kinda odd to jump form one cheap place to another. i can totally understand the option for diverse testing however generally one would have 2 companies scan at the same time to see if there were any misses. Additionally jumping around yearly form one place to another will not prove if one place had missed something or not. your external environment will change from one year to the next. With the security field youll find it the same as any other, meaning you get what you pay for. For example if you take a $50 lawyer to court with you, or choose a super cut rate insurance company dont expect to get the same results you would if you went with a more experienced provider. One thing you may find with the "startup priced" places is the people doing the work may be a bit green. Knowledgeable, may have the certs to do so however not seasoned enough to really dig in. Or even worse you may end up getting the script kiddy special of some yahoo who downloaded the newest automated tools and is now a pen tester. In my past experience, when i look at a prospect that has been scanned before i ask to review the previous scans. To somewhat answer your question, i have used Protiviti in the past for my external net and app scans. For a 2X /24 with 350 hosts we were charged 10K per scan. They used several tools (core, nessus, et. al) as well as homegrown stuff they have put together. Another thing you might want to think about is contacting Paul directly to see if he is open for some consulting. On Aug 5, 2009, at 3:19 PM, Kennith Asher wrote:The company I work for contracts with third parties each year to perform web app and network penetration tests. ?In the interest of getting a different view of our vulnerabilities each time, we've decided to go with new vendors this year (and each year hereafter). Can any of you out there provide unvarnished truth about your experiences in similar endeavors. ?I'm looking to put together a short list of reputable firms who come recommended by people in the know. The list should hold up to enterprise scrutiny (must be reputable) and should be start-up priced. ?(Aren't all security purchases subject to such criteria?) Thanks for your input, Ken _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Network and Web App Pen Test Providers, (continued)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Mike Patterson (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Jim Halfpenny (Aug 06)
- Network and Web App Pen Test Providers Chris Clymer (Aug 06)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers strandjs at gmail.com (Aug 06)
- Network and Web App Pen Test Providers Tim Krabec (Aug 06)
- Network and Web App Pen Test Providers Kennith Asher (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Michael Douglas (Aug 06)