Re: How to pick the right company for penetration testing?

[wjnorth <wjnorth () earthlink net>]

Hmm...I don't think I said that those tools were penetration testing tools, 
I do believe I said they were vulnerability scanners, of which one can use 
to perform pen tests. I think you flamed the wrong person. Thanks for the 
misdirected correction though, as quite a few people confuse the two. ;-)

-Wes


At 03:51 PM 1/30/2004 +0100, Frederic Charpentier wrote:

>  Hi.
>
>  Qualys, Nessus are not a pentest : it's a vulnerability scan.
>
>  Please, don't use  "pentest" to describe these kind of services.
>
>  Fred
>
> On Wed, 28 Jan 2004 15:04:22 -0800
> wjnorth <wjnorth () earthlink net> wrote:
>
> > Good catch there. In my opinion one can't rely on a single
> > vulnerability scanner, which is why I typically use 2 or 3, Nessus for
> > open source then some foo-foo commercial tool to validate and
> > invalidate findings. Additionally, depending on what you are testing,
> > there are a ton of application level scanners for Database, Web, App
> > and such the like. There is no "leader" in any area, at most each tool
> > validates the other, I've yet to rely solely on a single tool as the
> > end-all-solution.
> >
> > -Wes
> > Sr. Information Security Engineer
> >
> > At 10:24 AM 1/27/2004 -0500, Eric Greenberg wrote:
> > >That's a bold statement "leader in the space." I don't believe there
> > >is a single leader in the penetration testing space, there are
> > >choices. Answering his question about credentials, information,
> > >references might be less subjective.
> > >
> > >Regards,
> > >
> > >Eric Greenberg
> > >Chief Technical Officer
> > >NetFrameworks, Inc.
> > >http://www.NetFrameworks.com
> > >
> > >-----Original Message-----
> > >From: Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA
> > >[mailto:gideon () infostruct net]
> > >Sent: Monday, January 26, 2004 9:03 PM
> > >To: pen-test () securityfocus com
> > >Cc: aoyt78 () dsl pipex com
> > >Subject: How to pick the right company for penetration testing?
> > >
> > >
> > >Andy,
> > >
> > >You should investigate vulnerability scanning services. The leader in
> > >the space is Qualys
> > >
> > > >>>>>>>>>>>>>>>>>>>>> the poster's original question
> > >I'm in a position to recommend a company and would like to know, what
> > >credentials/information/references should I ask for from a company
> > >who offers such services.
> > >
> > >
> > >
> > >
> > >--------------------------------------------------------------------
> > >--------------------------------------------------------------------
> > >---------------
> > >
> > >
> > >
> > >
> > >--------------------------------------------------------------------
> > >--------------------------------------------------------------------
> > >---------------
> > >
> > >
> > >--------------------------------------------------------------------
> > >--------------------------------------------------------------------
> > >---------------
> >
> >
> > ---------------------------------------------------------------------
> > ---------------------------------------------------------------------
> > -------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------