Re: Evaluating pentesters

[Andre Gironda <andreg () gmail com>]

On Fri, Mar 5, 2010 at 5:01 PM, Tony Turner <tony_l_turner () yahoo com> wrote:
> Is there some kind of "Who's Who" of penetration testing firms? Right

Is there some kind of capital planning, budgeting, or decision-making
process that occurs before a company seeks out to hire penetration
testing firm(s)?

> now my primary methods for evaluating potential firms for pentest
> engagements are requesting sanitized reports from past tests and asking
> questions about their methodology. Is there some resource online I might
> be able to use to locate quality testers? I've been burned in the past

http://www.penetration-testing.com

> with some real bad ones.. I'm looking for
> network/systems/application/web/wireless from a PCI focused firm. Not so

Why PCI DSS focused and not anything else? I would have rather you
said ISO 27002, BITS FISAP, or Unified Compliance. Actually I would
rather have you say that this is risk management and fraud management
focused, perhaps citing standards in those areas.

> much interested in physical security and social engineering tests at
> this time but these services may be useful for future engagements. Also

Ok. So really you want application security consulting, perhaps
heavily leaning on threat-modeling or strategy consulting?

> not interested in paying good money for someone else to just do a
> Kismet/Gpsmap or Nessus scan for me and hand me the scan data. Useful
> tools of course, but I've met a few idiots who thought that was what
> penetration testing was. I am in the SE United States.

I don't think the tools matter at all. You could have some ninja that
modified the hell out of Kismet and Nessus. Less likely would be
someone who modified QualysGuard or WhiteHatSecurity (unfortunately,
these are SaaS offerings -- meaning that they have limited or zero
customer input into their customization), although certainly these two
companies offer cheap, one-size-fits-all vulnerability assessments
that meet the criteria for PCI DSS. The data that you receive from
them is very short-term, fleeting, and it leaves you wanting more (and
it's biased by the vendors' short sightedness). However, it's probably
a good start if you've only had worse penetration tests done.
Sometimes the best way to work with these companies is through a
reseller (if you're a small company). For example. Qualys partners
with Neohapsis and WhiteHat Security partners with Aspect Security.
Another SaaS provider, Veracode, might also be worth looking into.

Andre

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------