Penetration Testing mailing list archives

RE: How to pick the right company for penetration testing?

From: "Carrick, Brian A" <brian.carrick () eds com>
Date: Mon, 26 Jan 2004 14:36:10 -0000

Andy

The easy way would be to go here and choose one or more 'green light' CHECK providers:
http://www.cesg.gov.uk/site/check/index.cfm?menuSelected=11&displayPage=111

UK Government has already done some of the work for you in that all are considered to be reputable companies and all 
the green light ones have at least one person that has passed the CHECK assault course.  BTW it's difficult. At least I 
thought so. Historically, I think that only about a third or so pass it.

The list includes contact details to get you on your way.
If geography is an issue, and you can't tell where the company is from the address, you could plug the postcode into 
multimap. This is where I am, for example:
http://www.multimap.com/map/browse.cgi?client=public&db=pc&addr1=&client=public&addr2=&advanced=&addr3=&pc=MK178LX&quicksearch=mk17+8lx&cidr_client=none

In case you need it, here's some background info on CHECK that I tend to use in proposals:

CHECK is a formal Scheme for penetration testing run by the Communications - Electronics Security Group (CESG - part of 
GCHQ Cheltenham) on behalf of UK Government.  Fundamentally, it provides confidence that penetration tests of UK 
Government and Critical National Infrastructure (CNI) are performed to an appropriate and exacting standard.  Targets 
that are not part of UK Government nor considered part of the UK's CNI do not qualify for CHECK but will be tested to 
the same exacting standards.
A penetration test run under the CHECK Scheme is known as an IT Security Health Check (ITSHC).

From a customer perspective, CHECK provides the following benefits:

*       An assurance that the organisation and the individuals performing the ITSHC are sufficiently competent and 
qualified to perform the ITSHC.
*       Oversight of the ITSHC to ensure the test is correctly planned, performed, and reported.
Each organisation proving an ITSHC must be registered with CESG as a CHECK Service provider.  Each individual 
performing an ITSHC must be approved by CESG, which mostly involves checking the individual's clearance and vetting 
their CV.  Each ITSHC must be led by a CHECK Team Leader, a coveted status, obtained by passing an extremely rigorous 
examination and hacking "assault course" at CESG.  Moreover, to attain the status of a 'Green Light' CHECK Provider, 
the organisation must have at least one CHECK Team Leader.  At the time of writing (December 2003), there were 71 CHECK 
Team Leaders.
Running a penetration test under the CHECK scheme benefits from CESG oversight. As a minimum, CESG will read the final 
report to ensure that the test has been properly conducted and recorded to an acceptable standard for a CHECK ITSHC. 
CESG may also choose to witness some or all of the testing. It is CESG's policy to periodically witness an ITSHC to 
ensure the CHECK provider (EDS Information Assurance in this case) is properly conducting ITSHCs.
Further information on CHECK, including a qualifications checker, may be found on CESG's website:
http://www.cesg.gov.uk/site/check/index.cfm

HTH

Brian Carrick 
Penetration Testing Manager 
EDS information Assurance 
Wavendon Tower 
Milton Keynes, MK17 8LX 
Phone:  +44 1908 284253 
Fax:       +44 1908 284393 


-----Original Message-----
From: Andy Paton [mailto:aoyt78 () dsl pipex com] 
Sent: 25 January 2004 21:54
To: pen-test () securityfocus com
Subject: How to pick the right company for penetration testing?


Hi Guys & Girls

I have a customer who would like to engage with a security partner for penetration testing service in the UK.

I'm in a position to recommend a company and would like to know, what credentials/information/references should I ask 
for from a company who offers such services.


Regards

AP

P.S. I don't mind obvious touting for business (I will only pick a UK company)




---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

How to pick the right company for penetration testing? Andy Paton (Jan 25)
- Re: How to pick the right company for penetration testing? Nexus (Jan 25)
  - RE: How to pick the right company for penetration testing? Pete Herzog (Jan 26)
    - Re: How to pick the right company for penetration testing? Nexus (Jan 26)
- <Possible follow-ups>
- RE: How to pick the right company for penetration testing? Carrick, Brian A (Jan 26)
- How to pick the right company for penetration testing? Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA (Jan 27)
  - RE: How to pick the right company for penetration testing? Eric Greenberg (Jan 27)
    - RE: How to pick the right company for penetration testing? Robert E. Lee (Jan 27)
    - RE: How to pick the right company for penetration testing? wjnorth (Jan 29)
  - Message not available
    - Re: How to pick the right company for penetration testing? wjnorth (Jan 30)
- RE: How to pick the right company for penetration testing? Cure, Samuel J (Jan 27)
- Re: How to pick the right company for penetration testing? Travis Schack (Jan 28)
- RE: How to pick the right company for penetration testing? Tinus Janse van Rensburg (Jan 28)
  - Re: How to pick the right company for penetration testing? Nexus (Jan 29)