Penetration Testing mailing list archives
pen testing rfp
From: John Bennett <john () glitterpants org>
Date: Mon, 19 Oct 2009 13:32:48 -0500
I am preparing a penetration testing RFP and have come up with a list of questions. Anybody see anything they think should be included?? So far I have: *ability to test web applications, webservices or any internet facing application *ability to provide detailed reporting with POC exploits *include at least one re-test to confirm mitigation efforts were successful *ability to interface with developers/application owners to discuss open vulnerabilities in detail and help guide mitigation *ability to provide attestation letter for various compliance requirements and the ability to produce a 'good guy' letter for customer audits *have a turn around time from quote to report submission of 1 month *Ability to create our own testing schedule and times *Contact business owner/application owner before compromising systems with suspected exploits and notification of 'urgent' vulnerabilities found *Have documented cleanup/post mortem plan as part of post testing process *Have the ability to provide tiered service and flexible pricing based on the complexity of the application. *Have the ability to do a vulnerability assessment versus penetration test for lower tier applications at a significantly reduced cost *Highly skilled staff with industry recognized certifications *ability to provide trending reports *ability to retest as as often as desired *ability to provide an interface developers/application owners can *'portal' like access to check results or launch retest *Have the ability to routinely test 20+ applications on a continuous basis thanks! ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- pen testing rfp John Bennett (Oct 19)
- Re: pen testing rfp Trojacek (Oct 21)