Penetration Testing mailing list archives
What's your pentest workload like lately????
From: Joseph McCray <joe () learnsecurityonline com>
Date: Tue, 23 Dec 2008 11:37:51 -0500
I'm curious what the rest of the testers on the planet are up to (feel free to reply to me directly instead of on the list). Lately for me - the general observations are: ============================================= 1. PCI Pentesting on the rise 2. Web App Pentesting is steady, a little bit of education is required once in a while to help the customer understand the need for web app pentesting. 3. For really large organizations the work seems to be more along the lines of risk assessment work instead of more hard core penetration testing. Meh - it is what it is...yeah I'd rather be hacking any day instead of looking at policies, config builds, and checking off boxes on a checklist. Hey we all gotta eat - right? We do a few big risk assessments per month, but generic PCI pentesting is still the bread and butter. 4. Medium and large organizations seem to have their OS patch management and anti-virus under control, but 3rd party app patch management is hit and miss. External web apps are hit and miss, and internal web apps are a complete mess. 5. Running into more and more HIPS in the LAN now, but it's generally part of the AV deployment (example: McAfee HIPS). 6. On the web app side - a smattering of Web Services here and there. A lot of ASP.NET and some Java/J2EE. Running into more and more developers that are familiar with secure coding concepts and techniques- but seems to be 1 or 2 in a typical dev team instead of an overall company code development methodology. 7. OWASP has gained a lot of ground - more and more developers know what the organization is and have an idea what to look for in terms of secure web app development, but not very many developers know how to test for relatively simple vulnerabilities. 8. More and more developers have heard of threat modeling (STRIDE, DREAD, OCTAVE, etc) - but most of what I'm seeing is really informal, and more along the lines of a pre-project questionaire instead of something that is an integral part of the SDLC. 9. Overall we are growing in profitability even in the down economy. We have to be aggressive in pursuing the business, but we do have significant growth. Customers are feeling the economy pinch so we are competing against of a lot of other firms pretty regularly, and a ton of mom and pop pentest shops that undercut everyone. ================================ Specific things I'm curious about: I'm curious how the economy is affecting network pentest, web app, compliance (PCI/HIPAA/SOX/etc), and risk assessment/audit service sales, and what you are doing about it if they are on the decline. I'm curious what types of services you are offering that are on the rise and on the decline. Is secure code development training one of your service offerings, and if so how is it doing as a service offering? What percentage of your service offering workload is source-code auditing and which customer verticals are you finding more interested in it? How are you feeling about RFP responses? Do you spend a lot of time on them? How aggressively do you pursue RFP business? Do you have dedicated people for writing RFP responses - if not who in your team does it? What are the top 5 responsibilities of your business dev person/people, and how are you measuring their progress? How are you going after business, and what percentage of your marketing/sales methodology is each of the following below: Advertising ============ - Industry publications - TV - Bilboards Direct Sales ============ - Face to Face - Direct Mail - Cold Calling Public Exposure =============== - Trade Shows - Technology Conventions - Technology Conferences - Security Conferences - Local Technology Council Meetings - Chamber of Commerce - Security Associations (ISACA, InfraGuard, etc) (Please list any others you think are important) Partnerships ============ - Technology Integrators (Network Engineering, VoIP, and Application Development Companies) - Security Integrators (Encryption, Anti-Spam, Firewall, IDS, SSO Companies) - Physical Security Companies Web-based Marketing =================== - SEO - Link exchange - Affiliate program Well - that's it for me fellas. Back to work for little ol me. Hope to hear from you guys soon. Like I said earlier - feel free to reply to me directly with your answers to this stuff. -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- What's your pentest workload like lately???? Joseph McCray (Dec 23)