Re: How to pick the right company for penetration testing?

["Nexus" <nexus () patrol i-way co uk>]

----- Original Message -----
From: "Pete Herzog" <pete () isecom org>
To: "Nexus" <nexus () patrol i-way co uk>; "Andy Paton" <aoyt78 () dsl pipex com>;
<pen-test () securityfocus com>
Sent: Monday, January 26, 2004 10:07 AM
Subject: RE: How to pick the right company for penetration testing?


> Hi,
>
> Although CHECK is part of the UK governmental endorsement, I have not
really
> seen it outside the UK.  That said, if the UK is just a starting point for
a
> European partner, CHECK does not have much authority.

Indeed - as you said, not seen outside of the UK...
Horribly bad form to quote oneself I know, but from Andy's initial email:

> > (I will only pick a UK company)

Hence the very specific reply from myself:

> In that case, one option would be to pick a CHECK company from

Specific criteria normally require explicit answers, irrespective of
esoteric verbosity no ?
(Sorry for the Geerism, old habits ;-)
And yes, there are US based companies with green light, ho hum.

> Another problem is that CHECK is pay-to-play (5000 Bp).  I know many
> excellent UK companies with good work ethic, smart security skills, and a
> positive cashflow from good sales and service who don't see the value in
> paying someone for a high-level methodology and course.

As I said (with added emphasis):

> **one** option would be

Also agreed that it's still less than the (maximum AFAIK) 295 USD required
for Gold Team subsciption to your own organisation.
It's currently 6.7K UKP for company, 1.5K UKP for the assualt course btw (c.
Jan 2004).

> The larger and more governmentally influenced customers in the UK may
> require CHECK in England and in that case, the door is shut to them if
they
> can't convince otherwise.

Not true, from first hand experience.

> offices are looking for OSSTMM certified people to work and in Scotland, a
> few of the the largest banks and organizations only buy OSSTMM certified
> tests.

Not an issue - the difference being I am not with CESG and hence am offering
what I consider to be independant criteria.
Hence no tout or mention of any fee accepting organisation that I represent.

> If you want to pick a partner, try buying something from them anonymously
> first.  Go through the procedure of being a tough customer.  Judge them on
> their ethics, sales ability, and service skills.  Then when you narrow it
> down to a few companies, look into sustainability, cash flow, reputation,
> and other partners.

Agreed.

> CHECK has its place but I think it's a mistake to judge ability on that.
On
> the otherside, it won't stop us from adding the CHECK methodology to the
> OSSTMM like we do other high level methodologies.

Or Vikkie Versie perhaps ?

Cheers.



---------------------------------------------------------------------------
----------------------------------------------------------------------------