PaulDotCom mailing list archives

Network and Web App Pen Test Providers

From: mick at pauldotcom.com (Michael Douglas)
Date: Thu, 6 Aug 2009 13:45:39 -0400

I too have to back up the sentiment on having a single provider for
assessments.  It's somewhat rare to have two completely different
companies perform a financial audit, why have two different pen
testers?  And while it drives Paul *nuts* every time I make the
comparison, auditors and pen testers really aren't that far apart when
you think about it...  They both ask the question "Are you sure?
Let's find out!"

---

The big thing that you have to take away from this is that you need a
good RFP style process where you ask a gauntlet of questions to
everyone you'd consider poking around with your network.

In addition to experience, tools used, and references, some other
items to cover are:
- reporting
- follow-up. (Will/Should the pentester offer to fix vulnerabilities?)
- findings (it's possible that a pentester could uncover a 0-day...
how will this get reported or handled?)
- timeframe for work.  (some companies want 1 week pentests -- IMO
this is far too short)
- methods allowed (some companies will only allow remote, while others
have no problems with internal based tests -- let your external penest
team know in great detail what you need/want)
- Cost (I've had some decent success saying upfront "I have $5k what
can I get?" it's better for both parties to do that than sign up and
at the last second reduce the $ by 75% -- still seething over that
one)



What an interesting topic!  Maybe we should do this on the show sometime...

Best of luck,
- Mick

On Thu, Aug 6, 2009 at 10:26 AM, Paul Asadoorian<paul at pauldotcom.com> wrote:

While I am biased (yes we do pen tests and web app assessments), but I
don't see the benefit of using different vendors every year.

I believe its better to build a relationship with a reputable company
that does a good job. ?If they do a good job, stick with them, as they
understand your business and now have an established relationship.
Think of the time spent from the customers end having to explain your
environment, challenges, policies, business model, to a new firm every
year. ?You can also get a fresh perspective from the same company
because they may have added new employees (A good question to ask).

Also, using the same firm allows you to build on past tests. ?Any one
company can only get so far in one week, but using the same company for
your testing allows them to pick up where they left off. ?Using a
different company, they are going to start fresh, probably finding much
of the same problems as the previous company (unless the company totally
sucks, which is a different conversation).

My recommendation is to apply a similar level of scrutiny to your pen
test company as you do for potential employees. ?Don't be afraid to ask
hard questions, samples of work, references, and even through a test or
challenge at them. ?This will help you weed out "the suck" :)

Cheers,
Paul

Raffi Jamgotchian wrote:

We would do something similar in the early days, but we would rotate
between two vendors every year. ?We eventually dropped one of them
because we saw they weren't adding any additional value.


On Aug 6, 2009, at 12:50 AM, Vincent Lape wrote:

Its kinda odd to jump form one cheap place to another. i can totally
understand the option for diverse testing however generally one would
have 2 companies scan at the same time to see if there were any
misses. Additionally jumping around yearly form one place to another
will not prove if one place had missed something or not. your external
environment will change from one year to the next. With the security
field youll find it the same as any other, meaning you get what you
pay for. For example if you take a $50 lawyer to court with you, or
choose a super cut rate insurance company dont expect to get the same
results you would if you went with a more experienced provider. One
thing you may find with the "startup priced" places is the people
doing the work may be a bit green. Knowledgeable, may have the certs
to do so however not seasoned enough to really dig in. Or even worse
you may end up getting the script kiddy special of some yahoo who
downloaded the newest automated tools and is now a pen tester. In my
past experience, when i look at a prospect that has been scanned
before i ask to review the previous scans.

To somewhat answer your question, i have used Protiviti in the past
for my external net and app scans. For a 2X /24 with 350 hosts we were
charged 10K per scan. They used several tools (core, nessus, et. al)
as well as homegrown stuff they have put together. Another thing you
might want to think about is contacting Paul directly to see if he is
open for some consulting.
On Aug 5, 2009, at 3:19 PM, Kennith Asher wrote:

The company I work for contracts with third parties each year to
perform web app and network penetration tests. ?In the interest of
getting a different view of our vulnerabilities each time, we've
decided to go with new vendors this year (and each year hereafter).

Can any of you out there provide unvarnished truth about your
experiences in similar endeavors. ?I'm looking to put together a
short list of reputable firms who come recommended by people in the
know.

The list should hold up to enterprise scrutiny (must be reputable)
and should be start-up priced. ?(Aren't all security purchases
subject to such criteria?)

Thanks for your input,

Ken


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


--
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Network and Web App Pen Test Providers, (continued)
- - Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
    - Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
    - Network and Web App Pen Test Providers Mike Patterson (Aug 06)
    - Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
    - Network and Web App Pen Test Providers Jim Halfpenny (Aug 06)
    - Network and Web App Pen Test Providers Chris Clymer (Aug 06)
    - Network and Web App Pen Test Providers strandjs at gmail.com (Aug 06)
    - Network and Web App Pen Test Providers Tim Krabec (Aug 06)
    - Network and Web App Pen Test Providers Kennith Asher (Aug 06)
    - Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
    - Network and Web App Pen Test Providers Michael Douglas (Aug 06)