I too have to back up the sentiment on having a single provider for assessments. It's somewhat rare to have two completely different companies perform a financial audit, why have two different pen testers? And while it drives Paul *nuts* every time I make the comparison, auditors and pen testers really aren't that far apart when you think about it... They both ask the question "Are you sure? Let's find out!"
--- The big thing that you have to take away from this is that you need a good RFP style process where you ask a gauntlet of questions to everyone you'd consider poking around with your network. In addition to experience, tools used, and references, some other items to cover are: - reporting - follow-up. (Will/Should the pentester offer to fix vulnerabilities?) - findings (it's possible that a pentester could uncover a 0-day... how will this get reported or handled?) - timeframe for work. (some companies want 1 week pentests -- IMO this is far too short) - methods allowed (some companies will only allow remote, while others have no problems with internal based tests -- let your external penest team know in great detail what you need/want) - Cost (I've had some decent success saying upfront "I have $5k what can I get?" it's better for both parties to do that than sign up and at the last second reduce the $ by 75% -- still seething over that one) What an interesting topic! Maybe we should do this on the show sometime... Best of luck, - Mick On Thu, Aug 6, 2009 at 10:26 AM, Paul Asadoorian<[email protected]> wrote: > While I am biased (yes we do pen tests and web app assessments), but I > don't see the benefit of using different vendors every year. > > I believe its better to build a relationship with a reputable company > that does a good job. If they do a good job, stick with them, as they > understand your business and now have an established relationship. > Think of the time spent from the customers end having to explain your > environment, challenges, policies, business model, to a new firm every > year. You can also get a fresh perspective from the same company > because they may have added new employees (A good question to ask). > > Also, using the same firm allows you to build on past tests. Any one > company can only get so far in one week, but using the same company for > your testing allows them to pick up where they left off. Using a > different company, they are going to start fresh, probably finding much > of the same problems as the previous company (unless the company totally > sucks, which is a different conversation). > > My recommendation is to apply a similar level of scrutiny to your pen > test company as you do for potential employees. Don't be afraid to ask > hard questions, samples of work, references, and even through a test or > challenge at them. This will help you weed out "the suck" :) > > Cheers, > Paul > > Raffi Jamgotchian wrote: >> We would do something similar in the early days, but we would rotate >> between two vendors every year. We eventually dropped one of them >> because we saw they weren't adding any additional value. >> >> >> On Aug 6, 2009, at 12:50 AM, Vincent Lape wrote: >> >>> Its kinda odd to jump form one cheap place to another. i can totally >>> understand the option for diverse testing however generally one would >>> have 2 companies scan at the same time to see if there were any >>> misses. Additionally jumping around yearly form one place to another >>> will not prove if one place had missed something or not. your external >>> environment will change from one year to the next. With the security >>> field youll find it the same as any other, meaning you get what you >>> pay for. For example if you take a $50 lawyer to court with you, or >>> choose a super cut rate insurance company dont expect to get the same >>> results you would if you went with a more experienced provider. One >>> thing you may find with the "startup priced" places is the people >>> doing the work may be a bit green. Knowledgeable, may have the certs >>> to do so however not seasoned enough to really dig in. Or even worse >>> you may end up getting the script kiddy special of some yahoo who >>> downloaded the newest automated tools and is now a pen tester. In my >>> past experience, when i look at a prospect that has been scanned >>> before i ask to review the previous scans. >>> >>> To somewhat answer your question, i have used Protiviti in the past >>> for my external net and app scans. For a 2X /24 with 350 hosts we were >>> charged 10K per scan. They used several tools (core, nessus, et. al) >>> as well as homegrown stuff they have put together. Another thing you >>> might want to think about is contacting Paul directly to see if he is >>> open for some consulting. >>> On Aug 5, 2009, at 3:19 PM, Kennith Asher wrote: >>> >>>> The company I work for contracts with third parties each year to >>>> perform web app and network penetration tests. In the interest of >>>> getting a different view of our vulnerabilities each time, we've >>>> decided to go with new vendors this year (and each year hereafter). >>>> >>>> Can any of you out there provide unvarnished truth about your >>>> experiences in similar endeavors. I'm looking to put together a >>>> short list of reputable firms who come recommended by people in the >>>> know. >>>> >>>> The list should hold up to enterprise scrutiny (must be reputable) >>>> and should be start-up priced. (Aren't all security purchases >>>> subject to such criteria?) >>>> >>>> Thanks for your input, >>>> >>>> Ken >>>> >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > -- > Paul Asadoorian > PaulDotCom Enterprises > Web: http://pauldotcom.com > Phone: 401.829.9552 > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
