Penetration Testing mailing list archives
Re: Evaluating pentesters
From: Tracy Reed <treed () copilotco com>
Date: Mon, 8 Mar 2010 13:44:43 -0800
On Fri, Mar 05, 2010 at 07:01:33PM -0500, Tony Turner spake thusly:
I've been burned in the past with some real bad ones..
Just out of curiosity, what makes for a bad pen-testing firm? I'm going to be looking for one myself (PCI as well) and would like to know what to avoid. Although pen-testing is way-overrated IMHO. The attackers will have far more time and be far more resourceful than your pen-testers will ever be.
Also not interested in paying good money for someone else to just do a Kismet/Gpsmap or Nessus scan for me and hand me the scan data. Useful tools of course, but I've met a few idiots who thought that was what penetration testing was. I am in the SE United States.
There seems to be a cottage industry of small shops praying on merchants who don't really know what PCI is who will sell them a scan and tell them they are good to go. It's happened here. -- Tracy Reed http://tracyreed.org
Attachment:
_bin
Description:
Current thread:
- Evaluating pentesters Tony Turner (Mar 08)
- Re: Evaluating pentesters Tracy Reed (Mar 08)
- Re: Evaluating pentesters security curmudgeon (Mar 11)
- Re: Evaluating pentesters David Glosser (Mar 08)
- Re: Evaluating pentesters Andre Gironda (Mar 08)
- Re: Evaluating pentesters aceinyaface (Mar 09)
- Re: Evaluating pentesters Jason Ross (Mar 09)
- Re: Evaluating pentesters Brent Huston (Mar 11)
- Re: Evaluating pentesters Shohn Trojacek (Mar 09)
- Re: Evaluating pentesters Rudra Kamal Sinha Roy (Mar 11)
- RE: Evaluating pentesters Frye, Dan (Mar 11)
- RE: Evaluating pentesters security curmudgeon (Mar 15)
- Re: Evaluating pentesters Rudra Kamal Sinha Roy (Mar 11)
- Re: Evaluating pentesters Tracy Reed (Mar 08)