Penetration Testing mailing list archives
RE: Recommended Web-Based Application Security Companies
From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Sat, 22 Oct 2005 13:00:40 -0700 (PDT)
All depends, few companies hold awesome talent but actually they are starters or small scale companies so can't compare their pricing with giants in security service sector. Few giants are providing their services by selling their Brand Label, good sales team that can actually bluff during presentation and doesn't hold good talent at their sites. In their presentations they show that their man power is CISSPs/CISA/CISM/blah blah blah! which in few cases is completely fake. And as they are big giants so one always can trust what they say and all questions/verifications are for small scalers. Secondly, you are right about the reports. Even many good security companies work the same way. I have even seen few reports that have completely copied from Nessus. They simply change the style, positions and format but the contents are Nessus's. Which should not be done. Otherwise they are not just spoiling their image in security industry but are also providing bad prints on understanding of ppl about Pen-Test. I have myself seen few reports from some top-notch companies those work with similar theory. And in many cases I have found companies saying that "Pen-Test is simply running Nessus to detect and then Metasploit/CoreImpact to exploit or if exploit is not present then you can get from some internet resource, our Network Administrator is capable of doing all this why should we require this external service" This all is happening due to tool copied reports floating in the market. And there is lot of scope beyond this. Even I do use above listed and many more tools and everyone out here must be doing the same. I am not against the tools at all. But after tools one need to make logical analsis for security breaches, which tool has missed. One need to define the methodology that they follow while carrying out the test it should not be clicking on tools like script kiddies. One need to cover every kind of attack for which security guy has to identify best tool of that category. While conducting pen-test Security company should also have a Security Standard and Policies defined and on finding of any non-compliant thing to their own designed standards, should be addressed in reports. Then the report should talk about all the aspects and should be build after understanding what the client is actually looking at out of reports. Report should also provide some recommendations to safeguard the client in terms of better implementation. For example During a Pen-Test, a company had not implemented DMZ in their firewall. Which was actually not a security problem and Tool didn't provide you this detail. But when I was able to compromise a web server I was able to reach their employee desks. So one should address this in report and should recommend such implementation. This shows how much time and efforts one has spent on carrying out that pen-test and it was not simply tool running task. Similar things happens while carrying out pen-test of a web server. I have tried many web applicaton security scanners but no tool could satisfy coz I always found lot of work after that. To end-up the process of Pen-Test. Alongwith Pen-Test reports, a service provider should also conduct a session with their client to provide them inside details about the security breaches and bad implementations rather then simply sending an email containing report. If a physical visit is not possible due to high cost then this session can be carried out through a video/tele conference. But atleast let the client know what the hell you were doing from the moment they signed the contract for penetration test with you. And many companies follow this but again not every. Coz if the reports are copied blindly from tool then it becomes hard for anyone to explain. Not every but many Securiy Sevice companies are charging heavily without delivering the right thing. And after such experience client feel bad and it builds up misconception about security services in his understanding. So do include other things in your passion as well trust it will help.... Ciao Dhruv
So what makes one company stand apart from another company? Price? Talent?
How do the deliverable reports vary from each company?
To me one aspect that is very important is the reporting process... too often the reports are based on tool printouts. For instance- I'm really impressed with the tool "Core Impact" for ease-of-use in rapid penetrations... But doesn't that take a little out of the entire process? I can see where it makes the bottom line better with rapid turn-over on engagements but it seems to take out too much of the hands on aspect of it... But again-- I do this work because I have a passion for it.. not for the bottom line :) -JP -----Original Message----- From: Thomas Ryan [mailto:tryan () siegeworksint com] Sent: Thursday, October 20, 2005 1:15 AM To: secmail.lists () gmail com Cc: pen-test () securityfocus com Subject: Re: Recommended Web-Based Application Security Companies I am a firm believer in fair competition and due diligence when it comes = to Pen Testing. I would suggest not looking for one company, but multiple companies. Have a formal RFP Process and evaluate vendors based on your company's cr= iteria. A few companies I can speak for that have serious talent and some of whic= h we are in constant competition with: SiegeWorks International http://www.siegeworksint.com NET2S http://www.net2s.com Foundstone (McAfee) http://www.foundstone.com @Stake (Symantec) http://www.atstake.com INS http://www.ins.com FishNET http://www.fishnetsecurity.com Thomas Ryan Senior Security Consultant SiegeWorks International tom () siegeworksint com http://www.siegeworksint.com
------------------------------------------------------------------------
------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Recommended Web-Based Application Security Companies secmail . lists (Oct 18)
- <Possible follow-ups>
- Re: Recommended Web-Based Application Security Companies Kurt Keys (Oct 19)
- Re: Recommended Web-Based Application Security Companies Thomas Ryan (Oct 19)
- RE: Recommended Web-Based Application Security Companies Josh Perrymon (Oct 20)
- RE: Recommended Web-Based Application Security Companies Dhruv Soi (Oct 22)
- Re: Recommended Web-Based Application Security Companies secmail4karen (Oct 23)