Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Choosing an Independent Penetration Testing Firm

From: Owen Connolly <ojconnolly () gmail com>
Date: Thu, 07 Feb 2013 12:10:56 +0000
OKŠ

There are 2 sides to the advice I'll give youŠ I've previously worked on
both sides of the fence! :-)

For their side:

1.  You need to meet the person who leads their pen test practice.  That
will allow you to get a feel for the attitude of the organisation.
2.  Ask to see their methodology?  Does it stand up to scrutiny? Do a
contrast and compare with the free standards out there:
        A. OSSTMM
        B. PTES
        C. NIST SP 800-115
        D. OWASP Testing Guide
        E. Pen Testing framework

3. Ask for the qualifications of the team that will be performing your pen
test.
4. Sample reports would be good, but without context they're often just
pretty pictures and vague text, so don't rely on them.

For Your side:

1. What service do you want?
        A. A one off pen test to tick a box?
        B. A recurring contract for Quarterly/Yearly/Ad Hoc Pen tests?
        C. Option A with remediation advice and a re-test?
        D. Haven't really thought about it and probably need advice? :-)

2. What are your rules of engagement?
        A. Full on/No holds barred bad guy style attempt?
        B. A glorified vulnerability scan?
        C. Something in the middle, but not sure what? :-)

3. What's your budget?
        A. Unlimited?
        B. Non-existent?
        C. Actually need to put together a business case and take it to the PTB!
:-)


Are you getting a picture here? The more professionally you engage with
the organisations the more professionally they'll respond and the amateurs
will drop by the waysideŠ

If you haven't done this before, then I'd suggest bringing in a consultant
to help you understand your requirements, build the business case and then
put together a proper RFI/RFP for the work involved.

Cheers,

ojc



On 07/02/2013 01:31, "Remi Broemeling" <remi () broemeling org> wrote:


Hi all,

I'm currently in the process of sizing up/comparing various
Penetration Testing firms, and am having a bit of trouble finding
distinguishing characteristics between them.  I've looked at a fair
few, but they all seem to offer very similar services with little to
recommend one over another.  What I'm looking for is an independent
firm capable of doing external penetration tests against a small
datacenter cluster of hosts and then providing a report of their
results (I realize that I just described the general process of
penetration testing).

Does anyone on here have any specific recommendations on what to look
for when choosing an independent penetration testing firm?

Thanks,

Remi

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: