Penetration Testing mailing list archives
Re: Choosing an Independent Penetration Testing Firm
From: Eric Schultz <fire0088 () gmail com>
Date: Wed, 6 Feb 2013 22:38:14 -0500
First, you'll want to create rules of engagement - a list of attack methods you do and dont want tested (ie spear phising, physical penetration, social engineering). Also note if you want focus on certain components of your infrastructure, or things you dont feel confident about. Essentially, all the pen test companies (you said firm.. lol) will offer the same services, but some may have specialties. This is similar to other industries, like finding a contractor to do home repair. Sure, they all can do the same stuff, but some may have more experience with tiling than electrical work. You need to ask questions to see which company you feel the most comfortable with. Here's a few questions you can ask to help sort out the competition: Cost? How many testers will do the technical work? What time frame do they expect? Major customers/references? How long have they been in business? Do they have experience working under your requirements (external, small companies, similar hardware/software environments, experience working under similar rules of engagement to yours, ect)? Can you view the testers relevant experience? What certs do the testers have? Whats their methodology? Do they just run scans, perform automated recon, manually test everything ect. What tools do they use? How much of their testing relies on these tools? Do they have a sample report? Do they write canned reports. If not, how customized are their reports. Do they have technical writers work on the report, or do the testers write it themselves? Is your business required to follow security compliance policies (ie fisma, hippa, that credit card one)? Do they have experience testing in these environments? This isnt a requirement, but can help with recommendations and proves they have relevant industry experience. Hope this helps, Eric ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Choosing an Independent Penetration Testing Firm Remi Broemeling (Feb 06)
- Re: Choosing an Independent Penetration Testing Firm Justin Rogosky (Feb 06)
- Re: Choosing an Independent Penetration Testing Firm Sergey Soldatov (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Anders Thulin (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Owen Connolly (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Eric Schultz (Feb 07)
- Re: Choosing an Independent Penetration Testing Firm Justin Rogosky (Feb 06)