Penetration Testing mailing list archives
Re: Evaluating pentesters
From: "Drexx Laggui [personal]" <drexxl () gmail com>
Date: Thu, 8 Apr 2010 14:53:48 +0800
08Apr2010 (UTC +8) Hiya Tony, On Sat, Mar 6, 2010 at 08:01, Tony Turner <tony_l_turner () yahoo com> wrote:
Is there some kind of "Who's Who" of penetration testing firms? Right now my primary methods for evaluating potential firms for pentest engagements are requesting sanitized reports from past tests and asking questions about their methodology. Is there some resource online I might be able to use to locate quality testers? I've been burned in the past with some real bad ones.. I'm looking for network/systems/application/web/wireless from a PCI focused firm. Not so much interested in physical security and social engineering tests at this time but these services may be useful for future engagements. Also not interested in paying good money for someone else to just do a Kismet/Gpsmap or Nessus scan for me and hand me the scan data. Useful tools of course, but I've met a few idiots who thought that was what penetration testing was. I am in the SE United States. Tony L Turner CISSP, CISA, GPEN, GCIA, GSEC, VCP, ITIL-F
A lot of other guys have chimed in here with great & useful advice, saying that you'd have to interview the prospective pentesters to weed out the BS, ask them about their methodologies, if they work using OSSTMM and how do they use it, what are their tools, sample of their pentest report, etc... ..but nobody has mentioned about the *trustworthiness* of the pentesters yet. Since 2005, when my team started out on this business, we've done less than 20 (I can't recall exact number) pentests there in US (targets in NY, IL & CA), but mostly in the Philippines (for the financial services industry). ALL of them were very particular in asking about what we were going to do with the data we've collected, who we are, our reputation as pentesters, what others say about us, and how high is the turn-over of people in our company (specifically with the pentesting team). They also required us to be insured (by a reputable insurance company), what tools we use (with more questions if we're using open-source stuff) and must have data destruction procedures. Since my company is composed of friends since my High School days, we have had zero turn-over --thus no data leakage to 3rd-party entities. There are other hoops that we had to go through, but I think you're getting it by now. Business owners, auditors and IT people in the banking industry are paranoid :) They have good reason to, given the amount of Hollywood movies out there about hackers. Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Evaluating pentesters Drexx Laggui [personal] (Apr 08)
- <Possible follow-ups>
- Re: Evaluating pentesters Drexx Laggui [personal] (Apr 08)
- Re: Evaluating pentesters Ivan . (Apr 12)