Penetration Testing mailing list archives
Re: How to pick the right company for penetration testing?
From: "Nexus" <nexus () patrol i-way co uk>
Date: Mon, 26 Jan 2004 23:25:47 -0000
----- Original Message ----- From: "Pete Herzog" <pete () isecom org> To: "Nexus" <nexus () patrol i-way co uk>; "Andy Paton" <aoyt78 () dsl pipex com>; <pen-test () securityfocus com> Sent: Monday, January 26, 2004 10:07 AM Subject: RE: How to pick the right company for penetration testing?
Hi, Although CHECK is part of the UK governmental endorsement, I have not
really
seen it outside the UK. That said, if the UK is just a starting point for
a
European partner, CHECK does not have much authority.
Indeed - as you said, not seen outside of the UK... Horribly bad form to quote oneself I know, but from Andy's initial email:
(I will only pick a UK company)
Hence the very specific reply from myself:
In that case, one option would be to pick a CHECK company from
Specific criteria normally require explicit answers, irrespective of esoteric verbosity no ? (Sorry for the Geerism, old habits ;-) And yes, there are US based companies with green light, ho hum.
Another problem is that CHECK is pay-to-play (5000 Bp). I know many excellent UK companies with good work ethic, smart security skills, and a positive cashflow from good sales and service who don't see the value in paying someone for a high-level methodology and course.
As I said (with added emphasis):
**one** option would be
Also agreed that it's still less than the (maximum AFAIK) 295 USD required for Gold Team subsciption to your own organisation. It's currently 6.7K UKP for company, 1.5K UKP for the assualt course btw (c. Jan 2004).
The larger and more governmentally influenced customers in the UK may require CHECK in England and in that case, the door is shut to them if
they
can't convince otherwise.
Not true, from first hand experience.
offices are looking for OSSTMM certified people to work and in Scotland, a few of the the largest banks and organizations only buy OSSTMM certified tests.
Not an issue - the difference being I am not with CESG and hence am offering what I consider to be independant criteria. Hence no tout or mention of any fee accepting organisation that I represent.
If you want to pick a partner, try buying something from them anonymously first. Go through the procedure of being a tough customer. Judge them on their ethics, sales ability, and service skills. Then when you narrow it down to a few companies, look into sustainability, cash flow, reputation, and other partners.
Agreed.
CHECK has its place but I think it's a mistake to judge ability on that.
On
the otherside, it won't stop us from adding the CHECK methodology to the OSSTMM like we do other high level methodologies.
Or Vikkie Versie perhaps ? Cheers. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- How to pick the right company for penetration testing? Andy Paton (Jan 25)
- Re: How to pick the right company for penetration testing? Nexus (Jan 25)
- RE: How to pick the right company for penetration testing? Pete Herzog (Jan 26)
- Re: How to pick the right company for penetration testing? Nexus (Jan 26)
- RE: How to pick the right company for penetration testing? Pete Herzog (Jan 26)
- <Possible follow-ups>
- RE: How to pick the right company for penetration testing? Carrick, Brian A (Jan 26)
- How to pick the right company for penetration testing? Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA (Jan 27)
- RE: How to pick the right company for penetration testing? Eric Greenberg (Jan 27)
- RE: How to pick the right company for penetration testing? Robert E. Lee (Jan 27)
- RE: How to pick the right company for penetration testing? wjnorth (Jan 29)
- Message not available
- Re: How to pick the right company for penetration testing? wjnorth (Jan 30)
- RE: How to pick the right company for penetration testing? Eric Greenberg (Jan 27)
- Re: How to pick the right company for penetration testing? Nexus (Jan 25)
- RE: How to pick the right company for penetration testing? Cure, Samuel J (Jan 27)
- Re: How to pick the right company for penetration testing? Travis Schack (Jan 28)
- RE: How to pick the right company for penetration testing? Tinus Janse van Rensburg (Jan 28)
- Re: How to pick the right company for penetration testing? Nexus (Jan 29)