Organising a penetration test for your organisation………
March 18th, 2007 Drazen Drazic Posted in Applications, Bad Developers, Forensics, Research, Vulnerability Management, Web Application Security, cyber crime |
Some good points raised in this article:www.it-observer.com/articles.php?id=1308
There’s few good companies out there that do penetration testing well and they’re generally the smaller specialist organisations (yeah, I have to mention Security-assessment.com).
We still see and hear about mobs doing this work for clients and shake our heads at the results / output. There’s still guys out there running basic VA and port scans and delivering stock standard reports out of the likes of a Nessus to clients and calling it a penetration test.
It’s hard for organisations to know what questions to ask and how to compare offerings because it is such a specialised field. This article goes someway to helping.
March 19th, 2007 at 1:44 am
Hmm agree here.
Whatever about SANS, take a look at Sensepost’s grading and training.
http://www.sensepost.com/training_combatrate.html
I had this idea about ‘moving targets’ as a defense mechanism.
This has always been my list for pen testing:
Security-Assessment http://www.security-assessment.com/
Corsaire http://www.corsaire.com/
NGS http://www.ngssoftware.com/
MJR seems to be a bit grumpy with the penetrate and patch mentality and I am on the fence somewhat with this as I like to think of a pentest as QA or independent audit when resources are not a)available b) believed to be warranted or c) skilled enough in-house… which can also raise the SDLC argument.
D.
March 19th, 2007 at 1:58 am
Corsaire have a good summary written by Glyn. http://research.corsaire.com/articles/030115-which-assessment-provider.html
From their articles:
http://research.corsaire.com/articles/
D.
March 19th, 2007 at 5:04 am
Thanks for the rating D.
From you, that means a lot.
It’s a struggle sometimes to win business over Big Company X,Y and Z etc when some clients have little to no experience in knowing how to compare competing proposals. As good as the sales and marketing team are, there are clients out there who’ll go with the big global brand everytime.
It is a small industry with few really good companies and testers out there but gees there’s a lot of companies who offer these services. The good guys know the other good guys and most times, we’re not overly upset at losing out to them and I know that works the other way but its tough losing to some you know are just not going to deliver work to that client.
I think things are slowing changing though for the better.
July 17th, 2007 at 3:20 am
This is exactly what I expected to find out after reading the title . Thanks for informative article