RE: Recommended Web-Based Application Security Companies

[Dhruv Soi <dhruv_ymca () yahoo com>]

All depends, few companies hold awesome talent but
actually they are starters or small scale companies so
can't compare their pricing with giants in security
service sector.

Few giants are providing their services by selling
their Brand Label, good sales team that can actually
bluff during presentation and doesn't hold good talent
at their sites. In their presentations they show that
their man power is CISSPs/CISA/CISM/blah blah blah!
which in few cases is completely fake. And as they are
big giants so one always can trust what they say and
all questions/verifications are for small scalers.

Secondly, you are right about the reports. Even many
good security companies work the same way. I have even
seen few reports that have completely copied from
Nessus. They simply change the style, positions and
format but the contents are Nessus's. Which should not
be done. Otherwise they are not just spoiling their
image in security industry but are also providing bad
prints on understanding of ppl about Pen-Test. 

I have myself seen few reports from some top-notch
companies those work with similar theory. And in many
cases I have found companies saying that 
"Pen-Test is simply running Nessus to detect and then
Metasploit/CoreImpact to exploit or if exploit is not
present then you can get from some internet resource,
our Network Administrator is capable of doing all this
why should we require this external service"
This all is happening due to tool copied reports
floating in the market. And there is lot of scope
beyond this. Even I do use above listed and many more
tools and everyone out here must be doing the same. I
am not against the tools at all. But after tools one
need to make logical analsis for security breaches,
which tool has missed. 

One need to define the methodology that they follow
while carrying out the test it should not be clicking
on tools like script kiddies. 
One need to cover every kind of attack for which
security guy has to identify best tool of that
category. 

While conducting pen-test Security company should also
have a Security Standard and Policies defined and on
finding of any non-compliant thing to their own
designed standards, should be addressed in reports. 
Then the report should talk about all the aspects and
should be build after understanding what the client is
actually looking at out of reports.

Report should also  provide some recommendations to
safeguard the client in terms of better
implementation. For example During a Pen-Test, a
company had not implemented DMZ in their firewall.
Which was actually not a security problem and Tool
didn't provide you this detail. But when I was able to
compromise a web server I was able to reach their
employee desks. So one should address this in report
and should recommend such implementation. This shows
how much time and efforts one has spent on carrying
out that pen-test and it was not simply tool running
task.

Similar things happens while carrying out pen-test of
a web server. I have tried many web applicaton
security scanners but no tool could satisfy coz I
always found lot of work after that.

To end-up the process of Pen-Test. Alongwith Pen-Test
reports, a service provider should also conduct a
session with their client to provide them inside
details about the security breaches and bad
implementations rather then simply sending an email
containing report. If a physical visit is not possible
due to high cost then this session can be carried out
through a video/tele conference. But atleast let the
client know what the hell you were doing from the
moment they signed the contract for penetration test
with you. And many companies follow this but again not
every. Coz if the reports are copied blindly from tool
then it becomes hard for anyone to explain.

Not every but many Securiy Sevice companies are
charging heavily without delivering the right thing.
And after such experience client feel bad and it
builds up misconception about security services in his
understanding.

So do include other things in your passion as well
trust it will help....

Ciao
Dhruv

> So what makes one company stand apart from another
> company? 
> Price? Talent? 
 
> How do the deliverable reports vary from each
> company? 
 
> To me one aspect that is very important is the
> reporting process...  too
> often the reports are based on tool printouts.
>
> For instance-  I'm really impressed with the tool
> "Core Impact" for
> ease-of-use in rapid penetrations... But doesn't
> that take a little out
> of the entire process?  I can see where it makes the
> bottom line better
> with rapid turn-over on engagements but it seems to
> take out too much of
> the hands on aspect of it...  
>
> But again-- I do this work because I have a passion
> for it.. not for the
> bottom line :)
>
> -JP
>
>
>
> -----Original Message-----
> From: Thomas Ryan [mailto:tryan () siegeworksint com] 
> Sent: Thursday, October 20, 2005 1:15 AM
> To: secmail.lists () gmail com
> Cc: pen-test () securityfocus com
> Subject: Re: Recommended Web-Based Application
> Security Companies
>
> I am a firm believer in fair competition and due
> diligence when it comes
> =
> to Pen Testing.
> I would suggest not looking for one company, but
> multiple companies. 
> Have a formal RFP Process and evaluate vendors based
> on your company's
> cr=
> iteria.
>
> A few companies I can speak for that have serious
> talent and some of
> whic= h
> we are in constant competition with:
> SiegeWorks International
> http://www.siegeworksint.com
> NET2S http://www.net2s.com 
> Foundstone (McAfee) http://www.foundstone.com
> @Stake (Symantec) http://www.atstake.com
> INS http://www.ins.com
> FishNET http://www.fishnetsecurity.com
>
>
> Thomas Ryan
> Senior Security Consultant
> SiegeWorks International
> tom () siegeworksint com
> http://www.siegeworksint.com
------------------------------------------------------------------------
> ------
> Audit your website security with Acunetix Web
> Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking
> applications on
> your 
> website. Up to 75% of cyber attacks are launched on
> shopping carts,
> forms, 
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers
> are 
> futile against web application hacking. Check your
> website for
> vulnerabilities 
> to SQL injection, Cross site scripting and other web
> attacks before
> hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
> -------
------------------------------------------------------------------------------
> Audit your website security with Acunetix Web
> Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your
> website. Up to 75% of cyber attacks are launched on
> shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are
> futile against web application hacking. Check your
> website for vulnerabilities
> to SQL injection, Cross site scripting and other web
> attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
>



        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------