Penetration Testing mailing list archives
RE: Cross-company collaboration
From: "Jonathan Cran" <jcran () 0x0e org>
Date: Tue, 28 Jul 2009 13:50:00 -0700
All,
On Fri, Jul 17, 2009 at 04:47:41PM -0700, Erin Carroll wrote:The recent thread from Adriel on verifying your security providers jogged a thought that's been at the back of my mind for a bit: Have you ever worked or collaborated with another pen-test company on projects? How did it work out? What prompted the collaboration effort? How did you manage the relationship with "the competition" and was it a successful engagement (financial or otherwise)? How did you find/choose who to work with?
It's interesting and timely that this issue is raised on the pen-test list. I'll be giving a talk at B-Sides Las Vegas on collaborative pentesting and specifically on some tools we've (rapid7) modified / developed to enable it. The talk is based around something we call pentest-console or ptc, which is really just an alias for the following: Server: - Trac/Svn as the basis (which is really a development project tracking software) - Custom "template" projects to speed typical projects (such as a 5-day, or 10-day pentest) - Custom shell scripts to augment project creation - Various parsers to pull data into trac (tickets / wiki) - Toolkit in svn Client: - Eclipse as a front-end - Mylyn for Trac-Ticket Integration (and possibly time-tracking) These tools were developed to help us better maintain methodology, and re-use existing work. However, it turns out that they're quite useful for collaboration / communication during a pentest, scalability to large teams, automatic report-gen and various other nice-to-haves. You can find more info on the talk here: http://www.securitybsides.com --- To answer your other, more business-oriented questions, however: Q: Have you ever worked or collaborated with another pen-test company on projects? A: Yep Q: How did it work out? What prompted the collaboration effort? A: Depends on the relationship, depends on the work, depends on lots of things. Depending on how the relationship is managed, you could end up holding hands, or stabbing each other at the end of it. My experiences have been prompted by various business need, whether it's the need for a specific type of expertise, or just too much work to handle in-house. Q: How did you manage the relationship with "the competition" and was it a successful engagement (financial or otherwise)? A: "competition" is definitely debatable. Generally, you don't want to sub out your core business functionality, so if you're giving your best work away to the competition, you're probably doing something wrong. The exception to that is when you have too much work (especially if you do not have a growing backlog), and you need to fill in gaps w/ other vendors. Q: How did you find/choose who to work with? A: Most consulting / services firms are happy to discuss this kind of arrangement. I would suggest talking to your contacts and finding someone you trust, first and foremost. It's quite common to contract penetration testing work, some companies do this more than others. Many independent penetration testers in the US work as contractors because it's more lucrative.
Well, one time when a customer wanted an application which required a very high level of securing they actually went as far as to order two companies (us and The Others™) to take care of it. Initially, we were both not too thrilled.
I've had this experience before as well. Generally it's best (and the client / customer would like you to focus in different areas).
As it turned out though, we were the crypto freaks and had a strong grasp on technical security while the other company was focussing mainly on organizational security, so we let them take care of that part of the job and hacked away peacefully.
Hopefully you both learned some things from each other :) cheers, jcran
(But usually companies just want one "security provider".)
Kind regards, Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 GĂĽterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard () sygroup ch
Current thread:
- Cross-company collaboration Erin Carroll (Jul 17)
- Re: Cross-company collaboration Tonnerre Lombard (Jul 22)
- RE: Cross-company collaboration Jonathan Cran (Jul 30)
- Re: Cross-company collaboration Adriel T. Desautels (Jul 30)
- RE: Cross-company collaboration Jonathan Cran (Jul 30)
- Re: Cross-company collaboration Tonnerre Lombard (Jul 22)