"One other noteworthy item for you to ponder is that current customers perform pen tests of their own on roughly a quarterly basis and we do have internal quarterly scans as well so we already have a reasonable level of confidence as to where our vulnerabilities lie."
Ken, thats an excellent point. More organizations should have a well-developed vulnerability management program, its crucial to the success of your security. This way you can find and fix stuff as you go, then the external testing can focus on areas that you may not be focusing on internally. Cheers, Paul Kennith Asher wrote: > First let me say that I totally agree, especially in the case of pen > tests, that you get what you pay for. (Assuming you know how to > evaluate what you're buying.) > > Script kiddies and those who simply pass along an unsubstantiated, > unverified Qualys report (for instance) don't provide much value > regardless of cost. > > I am not actually convinced that rotating pen test firms really does > much to improve the likelihood of discovering vulnerabilities. I do, > however, have a business need to use different vendors. Some of our > enterprise customers and prospects require this and audit us against > their requirement. > > I have to balance getting a high quality result with the need to be able > to tell auditors that we are meeting their requirements. > > I may be able to justify spending our pen test dollars on the same firm > provided that I have shown due diligence by evaluating a small handful > of alternatives and demonstrating that the choice was made in > appreciation of the intent of this requirement. > > I'm looking for high quality first, low price second. > > One other noteworthy item for you to ponder is that current customers > perform pen tests of their own on roughly a quarterly basis and we do > have internal quarterly scans as well so we already have a reasonable > level of confidence as to where our vulnerabilities lie. > > Thanks for your comment, > > Ken > >> On Aug 6, 2009 7:26 AM, "Paul Asadoorian" <[email protected] >> <mailto:[email protected]>> wrote: >> >> While I am biased (yes we do pen tests and web app assessments), but I >> don't see the benefit of using different vendors every year. >> >> I believe its better to build a relationship with a reputable company >> that does a good job. If they do a good job, stick with them, as they >> understand your business and now have an established relationship. >> Think of the time spent from the customers end having to explain your >> environment, challenges, policies, business model, to a new firm every >> year. You can also get a fresh perspective from the same company >> because they may have added new employees (A good question to ask). >> >> Also, using the same firm allows you to build on past tests. Any one >> company can only get so far in one week, but using the same company for >> your testing allows them to pick up where they left off. Using a >> different company, they are going to start fresh, probably finding much >> of the same problems as the previous company (unless the company totally >> sucks, which is a different conversation). >> >> My recommendation is to apply a similar level of scrutiny to your pen >> test company as you do for potential employees. Don't be afraid to ask >> hard questions, samples of work, references, and even through a test or >> challenge at them. This will help you weed out "the suck" :) >> >> Cheers, >> Paul >> >> Raffi Jamgotchian wrote: > We would do something similar in the early >> days, but we would rotate >... >> >> -- >> Paul Asadoorian >> PaulDotCom Enterprises >> Web: http://pauldotcom.com >> Phone: 401.829.9552 >> >> _______________________________________________ Pauldotcom mailing >> list [email protected]... >> > > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
