RE: Cross-company collaboration

["Jonathan Cran" <jcran () 0x0e org>]

All, 


> On Fri, Jul 17, 2009 at 04:47:41PM -0700, Erin Carroll wrote:
> > The recent thread from Adriel on verifying your security providers 
> > jogged a thought that's been at the back of my mind for a bit: Have 
> > you ever worked or collaborated with another pen-test company on 
> > projects? How did it work out? What prompted the collaboration effort? 
> > How did you manage the relationship with "the competition" and was it 
> > a successful engagement (financial or otherwise)? How did you find/choose who 
> > to work with?

It's interesting and timely that this issue is raised on the pen-test list. I'll be giving a talk at B-Sides Las Vegas 
on collaborative pentesting and specifically on some tools we've (rapid7) modified / developed to enable it. The talk 
is based around something we call pentest-console or ptc, which is really just an alias for the following:

Server:
 - Trac/Svn as the basis (which is really a development project tracking software)
 - Custom "template" projects to speed typical projects (such as a 5-day, or 10-day pentest)
 - Custom shell scripts to augment project creation
 - Various parsers to pull data into trac (tickets / wiki)
 - Toolkit in svn

Client:
 - Eclipse as a front-end
 - Mylyn for Trac-Ticket Integration (and possibly time-tracking)

These tools were developed to help us better maintain methodology, and re-use existing work. However, it turns out that 
they're quite useful for collaboration / communication during a pentest, scalability to large teams, automatic 
report-gen and various other nice-to-haves. 
 
You can find more info on the talk here: http://www.securitybsides.com

---

To answer your other, more business-oriented questions, however:

 Q: Have you ever worked or collaborated with another pen-test company on projects? 
 A: Yep
   
 Q: How did it work out? What prompted the collaboration effort?
 A: Depends on the relationship, depends on the work, depends on lots of things. Depending on how the relationship is 
managed, you could end up holding hands, or stabbing each other at the end of it. My experiences have been prompted by 
various business need, whether it's the need for a specific type of expertise, or just too much work to handle in-house.

 Q: How did you manage the relationship with "the competition" and was it a successful engagement (financial or 
otherwise)? 
 A: "competition" is definitely debatable. Generally, you don't want to sub out your core business functionality, so if 
you're giving your best work away to the competition, you're probably doing something wrong. The exception to that is 
when you have too much work (especially if you do not have a growing backlog), and you need to fill in gaps w/ other 
vendors. 

 Q: How did you find/choose who to work with?
 A: Most consulting / services firms are happy to discuss this kind of arrangement. I would suggest talking to your 
contacts and finding someone you trust, first and foremost.  It's quite common to contract penetration testing work, 
some companies do this more than others. Many independent penetration testers in the US work as contractors because 
it's more lucrative. 


> Well, one time when a customer wanted an application which required a very 
> high level of securing they actually went as far as to order two companies (us 
> and The Others™) to take care of it. Initially, we were both not too thrilled.

I've had this experience before as well. Generally it's best (and the client / customer would like you to focus in 
different areas).

> As it turned out though, we were the crypto freaks and had a strong grasp on 
> technical security while the other company was focussing mainly on 
> organizational security, so we let them take care of that part of the job and 
> hacked away peacefully.

Hopefully you both learned some things from each other :)



cheers, 

jcran




> (But usually companies just want one "security provider".)

> Kind regards,
>
>                               Tonnerre
> --
> SyGroup GmbH
> Tonnerre Lombard
>
> Solutions Systematiques
> Tel:+41 61 333 80 33           Güterstrasse 86
> Fax:+41 61 383 14 67           4053 Basel
> Web:www.sygroup.ch             tonnerre.lombard () sygroup ch