Penetration Testing
Choosing an Independent Penetration Testing Firm Feb 07 2013 01:31AM
Remi Broemeling (remi broemeling org) (4 replies)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 12:10PM
Owen Connolly (ojconnolly gmail com)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 09:23AM
Anders Thulin (anders thulin sentor se)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 03:38AM
Eric Schultz (fire0088 gmail com)
First, you'll want to create rules of engagement - a list of attack
methods you do and dont want tested (ie spear phising, physical
penetration, social engineering). Also note if you want focus on
certain components of your infrastructure, or things you dont feel
confident about. Essentially, all the pen test companies (you said
firm.. lol) will offer the same services, but some may have
specialties. This is similar to other industries, like finding a
contractor to do home repair. Sure, they all can do the same stuff,
but some may have more experience with tiling than electrical work.
You need to ask questions to see which company you feel the most
comfortable with.

Here's a few questions you can ask to help sort out the competition:

Cost?

How many testers will do the technical work?

What time frame do they expect?

Major customers/references?

How long have they been in business?

Do they have experience working under your requirements (external,
small companies, similar hardware/software environments, experience
working under similar rules of engagement to yours, ect)?

Can you view the testers relevant experience?

What certs do the testers have?

Whats their methodology? Do they just run scans, perform automated
recon, manually test everything ect.

What tools do they use?

How much of their testing relies on these tools?

Do they have a sample report?

Do they write canned reports. If not, how customized are their reports.

Do they have technical writers work on the report, or do the testers
write it themselves?

Is your business required to follow security compliance policies (ie
fisma, hippa, that credit card one)? Do they have experience testing
in these environments? This isnt a requirement, but can help with
recommendations and proves they have relevant industry experience.

Hope this helps,

Eric

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 02:30AM
Justin Rogosky (jrogosky gmail com) (1 replies)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 03:15AM
Sergey Soldatov (votadlos gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus