Penetration Testing mailing list archives
Re: Choosing an Independent Penetration Testing Firm
From: Owen Connolly <ojconnolly () gmail com>
Date: Thu, 07 Feb 2013 12:10:56 +0000
OK There are 2 sides to the advice I'll give you I've previously worked on both sides of the fence! :-) For their side: 1. You need to meet the person who leads their pen test practice. That will allow you to get a feel for the attitude of the organisation. 2. Ask to see their methodology? Does it stand up to scrutiny? Do a contrast and compare with the free standards out there: A. OSSTMM B. PTES C. NIST SP 800-115 D. OWASP Testing Guide E. Pen Testing framework 3. Ask for the qualifications of the team that will be performing your pen test. 4. Sample reports would be good, but without context they're often just pretty pictures and vague text, so don't rely on them. For Your side: 1. What service do you want? A. A one off pen test to tick a box? B. A recurring contract for Quarterly/Yearly/Ad Hoc Pen tests? C. Option A with remediation advice and a re-test? D. Haven't really thought about it and probably need advice? :-) 2. What are your rules of engagement? A. Full on/No holds barred bad guy style attempt? B. A glorified vulnerability scan? C. Something in the middle, but not sure what? :-) 3. What's your budget? A. Unlimited? B. Non-existent? C. Actually need to put together a business case and take it to the PTB! :-) Are you getting a picture here? The more professionally you engage with the organisations the more professionally they'll respond and the amateurs will drop by the wayside If you haven't done this before, then I'd suggest bringing in a consultant to help you understand your requirements, build the business case and then put together a proper RFI/RFP for the work involved. Cheers, ojc On 07/02/2013 01:31, "Remi Broemeling" <remi () broemeling org> wrote:
Hi all, I'm currently in the process of sizing up/comparing various Penetration Testing firms, and am having a bit of trouble finding distinguishing characteristics between them. I've looked at a fair few, but they all seem to offer very similar services with little to recommend one over another. What I'm looking for is an independent firm capable of doing external penetration tests against a small datacenter cluster of hosts and then providing a report of their results (I realize that I just described the general process of penetration testing). Does anyone on here have any specific recommendations on what to look for when choosing an independent penetration testing firm? Thanks, Remi ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Choosing an Independent Penetration Testing Firm Remi Broemeling (Feb 06)
- Re: Choosing an Independent Penetration Testing Firm Justin Rogosky (Feb 06)
- Re: Choosing an Independent Penetration Testing Firm Sergey Soldatov (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Anders Thulin (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Owen Connolly (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Eric Schultz (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Justin Rogosky (Feb 06)