Penetration Testing
Choosing an Independent Penetration Testing Firm Feb 07 2013 01:31AM
Remi Broemeling (remi broemeling org) (4 replies)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 12:10PM
Owen Connolly (ojconnolly gmail com)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 09:23AM
Anders Thulin (anders thulin sentor se)
On 2013-02-07 02:31, Remi Broemeling wrote:

> Does anyone on here have any specific recommendations on what to look
> for when choosing an independent penetration testing firm?

It usually takes one to know one. But as always, asking for references for
comparable jobs and evaluating them is often a good thing to do.

Reporting is the most important part of the job: if you get a report you
can't use or don't understand,or doesn't cover what you need it to cover,
the job will be largely wasted. Ask for a sample, and discuss it with them. You
need to think things through: what *do* you need the report for? Do you need
one or more reports -- in some environments knowledge about vulnerabilities
must be kept compartmentalized. You may need a different structure than the sample,
and the tester should not have any problems with that. (If they do, they may be
relying on pre-canned functionality, which may not be a good sign.)

The company should be able to explain what they mean by a penetration test.
Some just do vulnerability scans without actual penetration attempts, others
include things like denial-of-service attacks, social engineering, physical
intrusion etc. in the term.

The company should ask for systems that require special considerations: systems
that must not be upset by the tests. (Doing pen-test on a live environment
during an important demo for a customer or investor, for example, is a no-no.)
Some tests might be advisable to do at certain dates or certain times, when
system admins can be watching. If they don't ask you, ask them.

Also ask them about confidentiality agreements, damage insurance, certifications,
methodology, tools, vulnerability classifications. Not all are relevant, and you
may not care about the actual reply, but you do want to know how they reply.

You may also ask them for recommended action: how do they like *you* to work
with the result. Some companies stop at mitigating action, such as removing some
services, and reconfiguring others, while others would prefer you to identify and
correct any errors in procedures or routines that contributed to any vulnerability
found. If one vulnerability is due to sloppy change management, just correcting
the vulnerability doesn't really address the root cause of it.

If you have any 'friend companies', benchmarking partners, etc. who have done
pen tests, check with them for experiences and recommendations.

Anders Thulin 070-757 36 10 / Intl. +46 70 757 36 10

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?0?}0?e Ñà>[HíÇ? ?@ÞáaÃ?0
091 0 UFI10
Sonera10USonera Class2 CA0
TeliaSonera10U TeliaSonera Root CA v10?"0
½ýw?PEõ?]è#¼~þ5áíP{©0Ó ?hg]¿<?S»)bÅÊ^rÁÇ?ÔÛ- ´iìêâPñ <ð¬óS-ðõíl99s?ÈR°#Íà>ÜÝ<G »5?â?h?¾å¿rîÒú¥ííü?©&vÜ(K Ów-ío?÷I»S»]hÇÔÈu??Z?÷GÔLñÒ?y>M=?¨aÞ:Òø^àÁÉ?ӍMÓ?6³7_cc?3ð-&kS
|??2Ânì=!9É¡hâP?.°:+ó6 ¬/äoaÂQ 9>?S¹»gÚÜS¹vY6Cå à=2`?"Q·Ç3»Ý/¤x¦{F6?Ýy5Ç?,;°£5ås´\YïÚêe{zÐ?³´*7;p??[¹+·ì²Q?S)ZÔ
0ÿ0U 00 +?0Uÿ0UðY8³õ?? Õëú{ªè0¹U±0®0o m k?ildap://
era%20Class2%20CA,o=Sonera,c=FI?certificaterevocationlist;binary0; 9 7?5 0
?J ªX?Ó^<0
?{/fÕø«¡YRÛTÖçxx~C?¦­w²MðÅ` ÷CÕ?8cO?N(??õ?F??Ó½v!?
Î ]yÚô?
¤ æ?)?* UÄ ±Ô0«>úÞ?ݤ§ µ kvøß^²3?N©ª?rr_¬¦¨?­? Z^õµØÉ?~ påF!® aüqJ?ôM$³÷?Ö|²·R¢]¬Sù:¨?|?×a îªÿ]o<²ùÙÃÖ?aÜ?PÚÊR¶»|µÌf?ÉÄÑ-è®s0?Ý0?
Å oë_ SêÝÏ)iw|aä0
TeliaSonera1"0 U TeliaSonera Class 2 CA v10
131203230001Z0e1 0 USE10U

Sentor MSS AB10U
Anders Thulin1&0$ *?H?÷
 anders.thulin (at) sentor (dot) se0 [email concealed]?"0
ºF±?{T·? N Ô\ÿÃùY Fø?) ??B?N\B?g?A^G9Äù òwüÿ??µ§?n¦)?é3?<@"Rw-h?÷'Q´M¼LoøY?þ'³8Õ¦vâÊï?[,Öù?!jÈU3zÙwüãV!
R?ý¡BR?/x=Ïó?? ?U\ªHGF-îî
Õ]² ?`r6¯´?ÚI?sfÇÑ0?Ý
¶¯# ?'7.g1X?ra^½&ÏH?è¹9+£?²0?®0ÊUÂ0¿0¼ ¹ ¶?vldap://crl,o=TeliaSon
0 0 *?p#
ÿ 0
?]ÓM\T¨Ö?TjŦñþÝc÷¢eþ Í?Lݪh?57:(åQ?
&_J³êL?ÃòÔAN7ï,ômáèb:¸ý[êÙÃlV@$̤þ$(?{/½Pçà 5À{ÜoÞñDÄé?á*? f}rDÍ.7ò¹²Ö¢oÊÃ\ÿT×6F[7?I5?h¿Î/>Lt;°®??v*VèÔ#7Ø'¤DÌ??^^LI[8ú¨ º
R1É}4?eeú×^¹u??¼¯Í¦Njû£µÁ;èpáü®(G·Q7vø¦?Ö?cÝÎY²¯[BIÍ ðçÀ$¤uösl¶4¡H
n ZJÎÎmÙ6bäâ²½räå ?vF¸j*?l?.Gbà »7¹XowjGÖ¤?AÆ5·qDºÂ.
Æ à
[L~ ?³Ý?ÜÂSÛyØð-&2½´ 7ª®lhº'Îb~¦?·êàÔkp?éE?TÂm-|^«ÛJ с & å> i,§²ÕR×Rè+,HðÖä·?Ô(iñ+ô èÖgùpÄèV~kJMxÛ8?ô? ð?Q??²W@²kd} H?Éú@?ÆVx¸¨kR?Á[Á?´ÝJ½t~ëhi?gó> gî?3
?_JL o?3ä0??0?? 4©õÒ?y>À5Ìös÷³¿I0
TeliaSonera10U TeliaSonera Root CA v10
TeliaSonera1"0 U TeliaSonera Class 2 CA v10?"0
?¢8ö?ÉñÏ4p»WÛí³¿1M°.¬ml?ÛN!´'úr·á7¢X B¥uÞ®?ÞàµQ%öìG?¯Ö?Sº-Ñh$G??²¥I¸©L?vNËDCjU7¤'Ö? ÿ??ðq^yPùzx?GÒ?ÚÛA29¯$»£' Ã0yh?gG)_4?úË¿M?¥ôVrYnõß/?SM<Åó}?F?Öé=ó¯NÜ%(Í?PìGèÒ??F¹tB?â!ø&?óÍá
SlýÊ¦?Õì?è$??>ãyä_?í*?ìã?ãg?]?æë¢ ?Æ£Ðþ?i¾#T
2»~/?ÿNd|-yV§wÑË2????Qû?§?vQ±²yj=RF¶Ï!lÝ0\y??-¸?Îj?Ñ{ ?=??7ßÙól½3?WÑ
n, TÅÒì? ÁÚ5?[f§ÕÎåÜÒ¾Ö¦¨mF<?~ih ÇX»¼?s?¸FÛî?à-jS×tå,R¾
rarootcav1.cer0Uÿ0ÿ0U 00 +?0Uÿ0ÆU¾0»0w u s?qldap://,o=TeliaSonera?certificatere
vocationlist;binary0@ > <?:
arootcav1.crl0UÔm½²U»RK*è³ßm§Øûg?r0U#0?ðY8³õ?? Õëú{ªè0
??ÈU-HØ?ÀÿÐ\ü??uWÕ?Üeþ?ø¯jU¨Õ~?Ú? 6bXa«MÅb??âw¿1ÓâUÝ?7 h9æüja*FÔ4?UªSªêÉüí·ªñÉ1ôÐ{"Jïåi¿?ÔA?]±|~?ÓùJ©1ebâ?'7óh?õì
¨¬?íØä§?ß ü2Æ_Èd??¢?ó4I®²>??´´áÓ?Îv'úÉ?Ïx?}ì÷ý/,2rFæ©Y©ôß? åJ¥Ú¼EñYrÿr?o?
È?£Mº?õ"¸È±¶4¥¬ÉѪ³?6µ\?¯l­?ôûÁ3?8~?L Ó'bñdI¿?2Ç?è¦??#âF a?ÿ?ýï?ZÊ
TeliaSonera1"0 U TeliaSonera Class 2 CA v1oë_ SêÝÏ)iw|aä0 + ??0 *?H?÷
 1  *?H?÷
0 *?H?÷
130207092352Z0# *?H?÷
 1ô¦??ì´Ê̝ÊÁ=mþk,?0] +?71P0N0:10U
TeliaSonera1"0 U TeliaSonera Class 2 CA v1oë_ SêÝÏ)iw|aä0_ *?H?÷
  1P N0:10U
TeliaSonera1"0 U TeliaSonera Class 2 CA v1oë_ SêÝÏ)iw|aä0l *?H?÷
 1_0]0  `?He*0  `?He0
?S,Ô1Wjo߯ù¥¥ó< ¯Ì?é¶iïöÁ­þsÈ ô<~Íñ{1xAâ?Q£LYH§qá?*3?uZh?Ë{¡M¡]ò4 Ì·Ûò>àäV?@Ø
¬F??Ê] j

[ reply ]
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 03:38AM
Eric Schultz (fire0088 gmail com)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 02:30AM
Justin Rogosky (jrogosky gmail com) (1 replies)
Re: Choosing an Independent Penetration Testing Firm Feb 07 2013 03:15AM
Sergey Soldatov (votadlos gmail com)


Privacy Statement
Copyright 2010, SecurityFocus