Fwd: Evaluating pentesters

[Daniel Hood <dsmhood () gmail com>]

I'm usually on the otherside of the fence with this sort of stuff
(Being a pen-tester). But I guess the easiest way to weed out those
"cash-hungry" bogans who just use tools like Nessus and such and then
hand you the scan results and those people who have a little bit of
experience with metasploit and think they are the best, is to check
into their companies and make sure they have some kind of RnD
department. Not a product RnD department, but one thats doing actual
original research into vulnerabilities and has a couple of original
whitepapers on their website about various forms of pen-testing.

Companies that do research and publish exploits, that they have
researched and written usually are the ones that are worth their coin.
And if you have a quick flick through their whitepapers, you can
usually get a good feel of how they work and some of the methodologies
they use. Instead of trying to work out whether they are BS'ing or
giving you gold in a first interview when you ask them about
methodologies and skill levels...

Just my two cents,

Daniel

On Sat, Mar 6, 2010 at 11:01 AM, Tony Turner <tony_l_turner () yahoo com> wrote:
> Is there some kind of "Who's Who" of penetration testing firms? Right
> now my primary methods for evaluating potential firms for pentest
> engagements are requesting sanitized reports from past tests and asking
> questions about their methodology. Is there some resource online I might
> be able to use to locate quality testers? I've been burned in the past
> with some real bad ones.. I'm looking for
> network/systems/application/web/wireless from a PCI focused firm. Not so
> much interested in physical security and social engineering tests at
> this time but these services may be useful for future engagements. Also
> not interested in paying good money for someone else to just do a
> Kismet/Gpsmap or Nessus scan for me and hand me the scan data. Useful
> tools of course, but I've met a few idiots who thought that was what
> penetration testing was. I am in the SE United States.
>
> --
>
> Tony L Turner
> CISSP, CISA, GPEN, GCIA, GSEC, VCP, ITIL-F
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------