Re: How to pick the right company for penetration testing?

[Travis Schack <Travis () Vitalisec com>]

In-Reply-To: <000201c3e4e9$98a94990$c8a8a8c0@selfb5zlf10bdt>

Vulnerability testing and penetration testing are two different types of testing in existence.  While both testing 
types have some similarities, the results and objectives are different.  The current OSSTMM (page 14) provides 
definitions for these types of testing and others.  

I agree that any type of testing will only be as good as the technical and analytical personnel performing the test.  I 
would recommend reading through, if you have not, the OSSTMM (www.osstmm.org).  The OSSTMM is not only valuable to 
security testing/analytical professionals but also provides a framework to evaluate security testing companies in the 
industry.   

I agree with Pete on evaluating them on their “ethics, sales, and service skills”.  Look at the “Rules of Engagement” 
section of the OSSTMM.

I would also recommend on evaluating what methodologies do they follow (OSSTMM, OWASP, NSA IAM, ISO-17799, etc.)?  How 
do they address the different legislative and privacy issues that businesses face today?  How do they align the testing 
objectives and results with the company’s mission and objectives?  What limitations does the company have (i.e., 
technical skills, business analytical skills, technical writing, etc.).  How long have they been in business?  Did they 
start off with security testing services or did they get into it because it is the “flavor of the month”?  What is 
their mission?  What is their vision?

Also, how do they hire people?  What are the qualifications?  Testing or Analytical skills?  Certification 
requirements?  What are the requirements for keeping their testing/analytical skills up-to-date?  What conferences do 
they attend?  Do they perform background checks?  Do they hire ex-hackers?

These are some limited suggestions.  They should help you in determining which companies are mature and professional 
enough to move to the next step of looking business viability objectives (financials, etc.).

Travis
Vitalisec Inc.



> That's a bold statement "leader in the space." I don't believe there is =
> a
> single leader in the penetration testing space, there are choices. =
> Answering
> his question about credentials, information, references might be less
> subjective.
>
> Regards,
>
> Eric Greenberg
> Chief Technical Officer
> NetFrameworks, Inc.
> http://www.NetFrameworks.com
>
> -----Original Message-----
> Andy,
>
> You should investigate vulnerability scanning services. The leader in =
> the space is Qualys

---------------------------------------------------------------------------
----------------------------------------------------------------------------