What's your pentest workload like lately????

[Joseph McCray <joe () learnsecurityonline com>]

I'm curious what the rest of the testers on the planet are up to (feel
free to reply to me directly instead of on the list).


Lately for me - the general observations are:
=============================================

1. PCI Pentesting on the rise

2. Web App Pentesting is steady, a little bit of education is required
once in a while to help the customer understand the need for web app
pentesting. 

3. For really large organizations the work seems to be more along the
lines of risk assessment work instead of more hard core penetration
testing. Meh - it is what it is...yeah I'd rather be hacking any day
instead of looking at policies, config builds, and checking off boxes on
a checklist. Hey we all gotta eat - right? We do a few big risk
assessments per month, but generic PCI pentesting is still the bread and
butter.

4. Medium and large organizations seem to have their OS patch management
and anti-virus under control, but 3rd party app patch management is hit
and miss. External web apps are hit and miss, and internal web apps are
a complete mess.

5. Running into more and more HIPS in the LAN now, but it's generally
part of the AV deployment (example: McAfee HIPS).

6. On the web app side - a smattering of Web Services here and there. A
lot of ASP.NET and some Java/J2EE. Running into more and more developers
that are familiar with secure coding concepts and techniques- but seems
to be 1 or 2 in a typical dev team instead of an overall company code
development methodology.

7. OWASP has gained a lot of ground - more and more developers know what
the organization is and have an idea what to look for in terms of secure
web app development, but not very many developers know how to test for
relatively simple vulnerabilities.  

8. More and more developers have heard of threat modeling (STRIDE,
DREAD, OCTAVE, etc) - but most of what I'm seeing is really informal,
and more along the lines of a pre-project questionaire instead of
something that is an integral part of the SDLC.

9. Overall we are growing in profitability even in the down economy. We
have to be aggressive in pursuing the business, but we do have
significant growth. Customers are feeling the economy pinch so we are
competing against of a lot of other firms pretty regularly, and a ton of
mom and pop pentest shops that undercut everyone.


================================

Specific things I'm curious about:

I'm curious how the economy is affecting network pentest, web app,
compliance (PCI/HIPAA/SOX/etc), and risk assessment/audit service sales,
and what you are doing about it if they are on the decline.

I'm curious what types of services you are offering that are on the rise
and on the decline.

Is secure code development training one of your service offerings, and
if so how is it doing as a service offering?

What percentage of your service offering workload is source-code
auditing and which customer verticals are you finding more interested in
it?

How are you feeling about RFP responses? Do you spend a lot of time on
them? How aggressively do you pursue RFP business? Do you have dedicated
people for writing RFP responses - if not who in your team does it?

What are the top 5 responsibilities of your business dev person/people,
and how are you measuring their progress?

How are you going after business, and what percentage of your
marketing/sales methodology is each of the following below:

Advertising
============

- Industry publications
- TV
- Bilboards


Direct Sales
============

- Face to Face
- Direct Mail
- Cold Calling


Public Exposure
===============

- Trade Shows
- Technology Conventions
- Technology Conferences
- Security Conferences
- Local Technology Council Meetings
- Chamber of Commerce
- Security Associations (ISACA, InfraGuard, etc)

(Please list any others you think are important)



Partnerships
============

- Technology Integrators (Network Engineering, VoIP, and Application
Development Companies) 
- Security Integrators (Encryption, Anti-Spam, Firewall, IDS, SSO
Companies)
- Physical Security Companies



Web-based Marketing
===================

- SEO
- Link exchange
- Affiliate program




Well - that's it for me fellas. Back to work for little ol me.

Hope to hear from you guys soon. Like I said earlier - feel free to
reply to me directly with your answers to this stuff. 





-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------