Re: Evaluating pentesters

["Drexx Laggui [personal]" <drexxl () gmail com>]

08Apr2010 (UTC +8)


Hiya Tony,

On Sat, Mar 6, 2010 at 08:01, Tony Turner <tony_l_turner () yahoo com> wrote:
> Is there some kind of "Who's Who" of penetration testing firms? Right
> now my primary methods for evaluating potential firms for pentest
> engagements are requesting sanitized reports from past tests and asking
> questions about their methodology. Is there some resource online I might
> be able to use to locate quality testers? I've been burned in the past
> with some real bad ones.. I'm looking for
> network/systems/application/web/wireless from a PCI focused firm. Not so
> much interested in physical security and social engineering tests at
> this time but these services may be useful for future engagements. Also
> not interested in paying good money for someone else to just do a
> Kismet/Gpsmap or Nessus scan for me and hand me the scan data. Useful
> tools of course, but I've met a few idiots who thought that was what
> penetration testing was. I am in the SE United States.
>
> Tony L Turner
> CISSP, CISA, GPEN, GCIA, GSEC, VCP, ITIL-F

A lot of other guys have chimed in here with great & useful advice,
saying that you'd have to interview the prospective pentesters to weed
out the BS, ask them about their methodologies, if they work using
OSSTMM and how do they use it, what are their tools, sample of their
pentest report, etc...

..but nobody has mentioned about the *trustworthiness* of the pentesters yet.


Since 2005, when my team started out on this business, we've done less
than 20 (I can't recall exact number) pentests there in US (targets in
NY, IL & CA), but mostly in the Philippines (for the financial
services industry). ALL of them were very particular in asking about
what we were going to do with the data we've collected, who we are,
our reputation as pentesters, what others say about us, and how high
is the turn-over of people in our company (specifically with the
pentesting team).

They also required us to be insured (by a reputable insurance
company), what tools we use (with more questions if we're using
open-source stuff) and must have data destruction procedures. Since my
company is composed of friends since my High School days, we have had
zero turn-over --thus no data leakage to 3rd-party entities. There are
other hoops that we had to go through, but I think you're getting it
by now.

Business owners, auditors and IT people in the banking industry are
paranoid :) They have good reason to, given the amount of Hollywood
movies out there about hackers.



Drexx Laggui  -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA
http://www.laggui.com  ( Singapore / Manila / California )
Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer
PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4  8363 FFEC 3976 FF31 8A4E

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------