Re: pen testing rfp

[Trojacek <trojacek () gmail com>]

What sort of attestation letter were you thinking?


On Mon, Oct 19, 2009 at 1:32 PM, John Bennett <john () glitterpants org> wrote:
> I am preparing a penetration testing RFP and have come up with a list of
> questions.  Anybody see anything they think should be included??
>
> So far I have:
> *ability to test web applications, webservices or any internet facing
> application
> *ability to provide detailed reporting with POC exploits
> *include at least one re-test to confirm mitigation efforts were
> successful
> *ability to interface with developers/application owners to discuss open
> vulnerabilities in detail and help guide mitigation
> *ability to provide attestation letter for various compliance
> requirements and the ability to produce a 'good guy' letter for customer
> audits
> *have a turn around time from quote to report submission of 1 month
> *Ability to create our own testing schedule and times
> *Contact business owner/application owner before compromising systems
> with suspected exploits and notification of 'urgent' vulnerabilities
> found
> *Have documented cleanup/post mortem plan as part of post testing
> process
> *Have the ability to provide tiered service and flexible pricing based
> on the complexity of the application.
> *Have the ability to do a vulnerability assessment versus penetration
> test for lower tier applications at a significantly reduced cost
> *Highly skilled staff with industry recognized certifications
> *ability to provide trending reports
> *ability to retest as as often as desired
> *ability to provide an interface developers/application owners can
> *'portal' like access to check results or launch retest
> *Have the ability to routinely test 20+ applications on a continuous
> basis
>
> thanks!
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------