PaulDotCom mailing list archives
Network and Web App Pen Test Providers
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Thu, 06 Aug 2009 13:54:23 -0400
"One other noteworthy item for you to ponder is that current customers perform pen tests of their own on roughly a quarterly basis and we do have internal quarterly scans as well so we already have a reasonable level of confidence as to where our vulnerabilities lie." Ken, thats an excellent point. More organizations should have a well-developed vulnerability management program, its crucial to the success of your security. This way you can find and fix stuff as you go, then the external testing can focus on areas that you may not be focusing on internally. Cheers, Paul Kennith Asher wrote:
First let me say that I totally agree, especially in the case of pen tests, that you get what you pay for. (Assuming you know how to evaluate what you're buying.) Script kiddies and those who simply pass along an unsubstantiated, unverified Qualys report (for instance) don't provide much value regardless of cost. I am not actually convinced that rotating pen test firms really does much to improve the likelihood of discovering vulnerabilities. I do, however, have a business need to use different vendors. Some of our enterprise customers and prospects require this and audit us against their requirement. I have to balance getting a high quality result with the need to be able to tell auditors that we are meeting their requirements. I may be able to justify spending our pen test dollars on the same firm provided that I have shown due diligence by evaluating a small handful of alternatives and demonstrating that the choice was made in appreciation of the intent of this requirement. I'm looking for high quality first, low price second. One other noteworthy item for you to ponder is that current customers perform pen tests of their own on roughly a quarterly basis and we do have internal quarterly scans as well so we already have a reasonable level of confidence as to where our vulnerabilities lie. Thanks for your comment, KenOn Aug 6, 2009 7:26 AM, "Paul Asadoorian" <paul at pauldotcom.com <mailto:paul at pauldotcom.com>> wrote: While I am biased (yes we do pen tests and web app assessments), but I don't see the benefit of using different vendors every year. I believe its better to build a relationship with a reputable company that does a good job. If they do a good job, stick with them, as they understand your business and now have an established relationship. Think of the time spent from the customers end having to explain your environment, challenges, policies, business model, to a new firm every year. You can also get a fresh perspective from the same company because they may have added new employees (A good question to ask). Also, using the same firm allows you to build on past tests. Any one company can only get so far in one week, but using the same company for your testing allows them to pick up where they left off. Using a different company, they are going to start fresh, probably finding much of the same problems as the previous company (unless the company totally sucks, which is a different conversation). My recommendation is to apply a similar level of scrutiny to your pen test company as you do for potential employees. Don't be afraid to ask hard questions, samples of work, references, and even through a test or challenge at them. This will help you weed out "the suck" :) Cheers, Paul Raffi Jamgotchian wrote: > We would do something similar in the early days, but we would rotate >... -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.c...------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552
Current thread:
- Network and Web App Pen Test Providers, (continued)
- Network and Web App Pen Test Providers Vincent Lape (Aug 05)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Mike Patterson (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Jim Halfpenny (Aug 06)
- Network and Web App Pen Test Providers Chris Clymer (Aug 06)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers strandjs at gmail.com (Aug 06)
- Network and Web App Pen Test Providers Tim Krabec (Aug 06)
- Network and Web App Pen Test Providers Kennith Asher (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Vincent Lape (Aug 05)
- Network and Web App Pen Test Providers Michael Douglas (Aug 06)