Re: How to pick the right company for penetration testing?

From: Travis Schack (Travis@Vitalisec.com)
Date: Tue Jan 27 2004 - 20:03:36 EST


('binary' encoding is not supported, stored as-is) In-Reply-To: <000201c3e4e9$98a94990$c8a8a8c0@selfb5zlf10bdt>

Vulnerability testing and penetration testing are two different types of testing in existence. While both testing types have some similarities, the results and objectives are different. The current OSSTMM (page 14) provides definitions for these types of testing and others.

I agree that any type of testing will only be as good as the technical and analytical personnel performing the test. I would recommend reading through, if you have not, the OSSTMM (www.osstmm.org). The OSSTMM is not only valuable to security testing/analytical professionals but also provides a framework to evaluate security testing companies in the industry.

I agree with Pete on evaluating them on their “ethics, sales, and service skills”. Look at the “Rules of Engagement” section of the OSSTMM.

I would also recommend on evaluating what methodologies do they follow (OSSTMM, OWASP, NSA IAM, ISO-17799, etc.)? How do they address the different legislative and privacy issues that businesses face today? How do they align the testing objectives and results with the company’s mission and objectives? What limitations does the company have (i.e., technical skills, business analytical skills, technical writing, etc.). How long have they been in business? Did they start off with security testing services or did they get into it because it is the “flavor of the month”? What is their mission? What is their vision?

Also, how do they hire people? What are the qualifications? Testing or Analytical skills? Certification requirements? What are the requirements for keeping their testing/analytical skills up-to-date? What conferences do they attend? Do they perform background checks? Do they hire ex-hackers?

These are some limited suggestions. They should help you in determining which companies are mature and professional enough to move to the next step of looking business viability objectives (financials, etc.).

Travis
Vitalisec Inc.



>That's a bold statement "leader in the space." I don't believe there is =
>a
>single leader in the penetration testing space, there are choices. =
>Answering
>his question about credentials, information, references might be less
>subjective.
>
>Regards,
>
>Eric Greenberg
>Chief Technical Officer
>NetFrameworks, Inc.
>http://www.NetFrameworks.com
>
>-----Original Message-----
>Andy,
>
>You should investigate vulnerability scanning services. The leader in =
>the space is Qualys

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:47 EDT