RE: How to pick the right company for penetration testing?

["Pete Herzog" <pete () isecom org>]

Hi,

Although CHECK is part of the UK governmental endorsement, I have not really
seen it outside the UK.  That said, if the UK is just a starting point for a
European partner, CHECK does not have much authority.

Another problem is that CHECK is pay-to-play (5000 Bp).  I know many
excellent UK companies with good work ethic, smart security skills, and a
positive cashflow from good sales and service who don't see the value in
paying someone for a high-level methodology and course.

The larger and more governmentally influenced customers in the UK may
require CHECK in England and in that case, the door is shut to them if they
can't convince otherwise.  However, just to the north, in Wales, government
offices are looking for OSSTMM certified people to work and in Scotland, a
few of the the largest banks and organizations only buy OSSTMM certified
tests.

If you want to pick a partner, try buying something from them anonymously
first.  Go through the procedure of being a tough customer.  Judge them on
their ethics, sales ability, and service skills.  Then when you narrow it
down to a few companies, look into sustainability, cash flow, reputation,
and other partners.

CHECK has its place but I think it's a mistake to judge ability on that.  On
the otherside, it won't stop us from adding the CHECK methodology to the
OSSTMM like we do other high level methodologies.

Sincerely,
-pete.

Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org


> -----Original Message-----
> From: Nexus [mailto:nexus () patrol i-way co uk]
> Sent: Monday, January 26, 2004 01:42 AM
> To: Andy Paton; pen-test () securityfocus com
> Subject: Re: How to pick the right company for penetration testing?
>
>
> ----- Original Message -----
> From: "Andy Paton" <aoyt78 () dsl pipex com>
> To: <pen-test () securityfocus com>
> Sent: Sunday, January 25, 2004 9:53 PM
> Subject: How to pick the right company for penetration testing?
>
> [snip]
>
> > P.S. I don't mind obvious touting for business (I will only pick a UK
> company)
>
> In that case, one option would be to pick a CHECK company from
> http://www.cesg.gov.uk/site/check/index.cfm as the assault course will
> certainly be an indication of a certain level of technical competence.
> Obviously you can infer a couple of things from that, but I won't
> tout on a
> technical list ;-)
> The fun (personal) answer would be to kick out some ITT's and have a
> shoot-off against a test box to get an idea of what you will be getting.
>
> Cheers.
>
>
> ------------------------------------------------------------------
> ---------
> ------------------------------------------------------------------
> ----------


---------------------------------------------------------------------------
----------------------------------------------------------------------------