Penetration Testing
Choosing an Independent Penetration Testing Firm Feb 07 2013 01:31AM
Remi Broemeling (remi broemeling org) (4 replies)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 12:10PM
Owen Connolly (ojconnolly gmail com)
OK?

There are 2 sides to the advice I'll give you? I've previously worked on
both sides of the fence! :-)

For their side:

1. You need to meet the person who leads their pen test practice. That
will allow you to get a feel for the attitude of the organisation.
2. Ask to see their methodology? Does it stand up to scrutiny? Do a
contrast and compare with the free standards out there:
A. OSSTMM
B. PTES
C. NIST SP 800-115
D. OWASP Testing Guide
E. Pen Testing framework

3. Ask for the qualifications of the team that will be performing your pen
test.
4. Sample reports would be good, but without context they're often just
pretty pictures and vague text, so don't rely on them.

For Your side:

1. What service do you want?
A. A one off pen test to tick a box?
B. A recurring contract for Quarterly/Yearly/Ad Hoc Pen tests?
C. Option A with remediation advice and a re-test?
D. Haven't really thought about it and probably need advice? :-)

2. What are your rules of engagement?
A. Full on/No holds barred bad guy style attempt?
B. A glorified vulnerability scan?
C. Something in the middle, but not sure what? :-)

3. What's your budget?
A. Unlimited?
B. Non-existent?
C. Actually need to put together a business case and take it to the PTB!
:-)

Are you getting a picture here? The more professionally you engage with
the organisations the more professionally they'll respond and the amateurs
will drop by the wayside?

If you haven't done this before, then I'd suggest bringing in a consultant
to help you understand your requirements, build the business case and then
put together a proper RFI/RFP for the work involved.

Cheers,

ojc

On 07/02/2013 01:31, "Remi Broemeling" <remi (at) broemeling (dot) org [email concealed]> wrote:

>Hi all,
>
>I'm currently in the process of sizing up/comparing various
>Penetration Testing firms, and am having a bit of trouble finding
>distinguishing characteristics between them. I've looked at a fair
>few, but they all seem to offer very similar services with little to
>recommend one over another. What I'm looking for is an independent
>firm capable of doing external penetration tests against a small
>datacenter cluster of hosts and then providing a report of their
>results (I realize that I just described the general process of
>penetration testing).
>
>Does anyone on here have any specific recommendations on what to look
>for when choosing an independent penetration testing firm?
>
>Thanks,
>
>Remi
>
>-----------------------------------------------------------------------
-
>This list is sponsored by: Information Assurance Certification Review
>Board
>
>Prove to peers and potential employers without a doubt that you can
>actually do a proper penetration test. IACRB CPT and CEPT certs require a
>full practical examination in order to become certified.
>
>http://www.iacertification.org
>-----------------------------------------------------------------------
-
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 09:23AM
Anders Thulin (anders thulin sentor se)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 03:38AM
Eric Schultz (fire0088 gmail com)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 02:30AM
Justin Rogosky (jrogosky gmail com) (1 replies)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 03:15AM
Sergey Soldatov (votadlos gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus